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PREFACE 


Current hardware verification efforts have only begun to address the problem of composing asyn- 
chronously communicating units. This report presents work underway to formally specify and verify 
a floating-point coprocessor based on the MC68881. Our work uses the HOL verification system 
developed at Cambridge University. The coprocessor consists of two independent units: the bus 
interface uni t to communicate with the CPU and the arithmetic processing unit to perform the 
actual calculation. We illustrate how the specification and verification process can be organized and 
simplified by a generalized hierarchical decomposition methodology that supports reasoning about 
horizontal interaction between processes. Techniques of composing processes having independent 
time scales are formalized. Reasoning about the interaction and synchronization among processes 
using higher-order logic is demonstrated. 

The CPU instructions and the floating-point instructions are allowed to execute concurrently to im- 
prove performance. However, the coprocessor interface is designed to maintain a strictly sequential 
execution model to reflect the assembly language programmer’s view of the system. We discuss the 
combination of the CPU and the coprocessor to form a computer system, and explore techniques 
to from the underlying concurrent implementation to the programmer’s view of sequential 
execution of instructions. 
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1.0 INTRODUCTION 


Formal hardware verification involves using mechanized theorem-proving techniques to verify that 
the design of a system satisfies its specification. Because exhaustive simulation is often too time 
consuming, and because simulation that is non-exhaustive might miss cases that are incorrect, there 
is increasing interest in using a formal approach to reason about hardware designs. This report 
describes work in progress on verifying a floating-point coprocessor based on the MC68881 ((ref. 1), 
(ref. 2)) *. The coprocessor consists of a bus interface unit (BIU) which communi cates with the 
CPU, and an arithmetic processing unit (APU). 

There has been significant interest in formal verification in recent years ((ref. 3), (ref. 4), (ref. 5), 
(ref. 6), (ref. 7), (ref. 8), (ref. 9), (ref. 10)). Formal proofs of complex systems are not trivial, 
requiring significant machine time and human effort. Perhaps the best known verification effort is 
that of the VIPER microprocessor ((ref. 3), (ref. 4)). VIPER is the first microprocessor intended 
for commercial distribution where a formal verification has been attempted. 

Recent work ((ref. 11), (ref. 12)) has shown that the verification of microprocessors can be sim- 
plified through insertion of intermediate levels of abstraction between the instruction set and the 
dectronic block model (EBM); the EBM is, generally, the lowest level in the hierarchy and, logically, 
represents the object being verified. Through these appropriate intermediate levels, long and com- 
plex proofs are replaced by many more simple proofs. Furthermore, each level is a self-contained 
abstraction that has meaning in the explanation of the system. That is, the overall approach of 
abstraction reflects the way complex microprocessors are designed. In (ref. 10), microprocessors 
with four levels of abstraction are considered. The macro level reflects the programmer’s view of 
instruction execution. At the micro level, an instruction is interpreted by executing a sequence 
of microinstructions. The phase level description decomposes the interpretation of a single mi- 
croinstruction into the parallel execution of a set of elementary operations. The lowest level is the 
electronic block model, where a number of blocks such as the registers, the ALU and the microROM 
are connected together. It is generally accepted that the correctness of the EBM can be established 
by simulation. 

This report concentrates on two tasks: the first involves the formal composition of three interpreters 
(the CPU service, the BIU top level, and the APU top-level interpreter), the composition produc- 
ing the floating-point coprocessor (FPC). The CPU service interpreter is that part of the CPU 

*The copioceMor «u designed based on the information contained in the MC6888 1 oser's manual 
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specification concerned with communication with the BIU. The second task is concerned with the 
composition of the CPU and the FPC to form a more abstract view of a computer system, consist- 
ing of both the CPU and FPC. This composition would be verified with respect to a specification 
of a single abstract interpreter that provides both integer and floating-point instructions. 

There are five sections to this report. Section two briefly describes the basic architecture of the 
floating-point coprocessor being verified, emphasizing the communication and synchronization func- 
tions; section three presents a methodology for verifying the composition of three interacting inter- 
preters, the goal being the verification of the coprocessor; section four discusses our approach to 
the verification of the CPU-FPC combination. 
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2.0 THE FLOATING-POINT COPROCESSOR ARCHITECTURE 


We now present the design of a floating-point coprocessor (FPC) that is a simplification of the 
MC6888 1. Our coprocessor is designed to interface with a CPU to provide a logical extension to 
the CPU’s integer data processing capabilities. The assembly language programmer can view the 
FPC registers as though they are resident in the CPU. Thus, the CPU and FPC pair appears to 
the programmer to be one processor that supports both floating-point and integer operations. That 
the floating-point and integer operations are processed by different processors is an implementation 
detail to the programmer. Moreover, the coprocessor interface allows the FP instructions to execute 
concurrently with the CPU instructions to improve efficiency, but this, too, is an implementation 
detail. 

2.1 THE HARDWARE OVERVIEW 

The coprocessor is internally divided into two processing elements: the bus interface unit (BIU) 
and the arithmetic processing unit (APU) (see fig. 2.1-1). Though the BIU monitors the state of 
the APU, it operates independently of the APU. The APU operates on the opcode and operands 
that the BIU passes to it. In return, the APU reports its internal state to the BIU. The BIU 
rrm tains the coprocessor interface registers (CIRs) and status flags. The CIR register select and 
acknowledgement control logic are also contained in the BIU. The coprocessor interface implements 
a protocol that controls the access of these registers by the CPU and the APU. Since the bus is 
asynchronous, the FPC need not run at the same clock speed as the CPU. 

The APU executes all the floating-point instructions. The floating-point data, control and status 
registers are located inside the APU. In addition to these registers, the APU contains an arithmetic 
unit used for both mantissa and exponent calculations, and a barrel shifter. 


2.2 THE COMMUNICATION PROTOCOL 

As mentioned in the last section, the FPC contains a number of coprocessor interface registers 
(CIRs) which are addressed by the CPU in the same manner as memory is addressed. When the 
CPU fetches a coprocessor instruction, the CPU writes the instruction to the command CIR and 
reads the response CIR. In this response, the BIU encodes requests for any additional service 
required by the FPC. Data values read by the CPU from the FPC response CIR are referred to as 
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APU 


Address 



Figure 2.1-1: Simplified Block Diagram of the Floating-Point Coprocessor 
"primitives”. The response has one of the following meanings: 

a. The FPC is busy. The CPU then checks for interrupts, processes them, and queries the FPC 
again. In this case, the CPU will not execute the next instruction in the program. 

b. There is a FPC service request. For example, this request might be to evaluate the effective 
address and deliver data from the CPU data registers / memory to the FPC. 

c. The CPU is not needed. Communication is terminated, and the CPU is free to execute the 
next instruction. 

There are four CIRs that reside inside the BIU. The read-only /write-only designations apply to the 
CPU’s access to these registers. 

a. Response CDt. This read-only register is used to communicate service requests from the FPC 
to the CPU. 

b. Command CIR. This write-only register is used by the CPU to initiate a dialog for a copro- 
cessor instruction. When the FPC detects a write to this CIR, the data value is latched from 
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the data bus. 


c. Condition CIR. This write-only register is used by the CPU to initiate the dialog for a 
conditional coprocessor instruction. 

d. Operand CIR. This read/write register is used by the CPU to transfer data to and from the 
FPC. 

Currently we do not have exception-handling capabilities built into the coprocessor. We plan 
to consider this feature in the future. Several additional CIRs will be needed to accommodate 
exception-handling capabilities. 

2.5 THE INSTRUCTION SET 

The FPC instructions can be separated into three groups: 

a. Data movement instructions. The FLD and FSTR instructions axe used to transfer data between 
the floating-point data registers and the main memory or the CPU data registers. 

b. Arithmetic operation instructions. One or two operands are specified. The results is always 
stored into one of the internal FPC data registers. At most one operand may come from 
outside (the CPU registers or the memory). 

c. System control instructions. 

2.4 CONCURRENCY AND SYNCHRONIZATION 

one FPC instruction usually takes much more time to complete than a CPU instruction, it 
is desirable for both the CPU and the FPC to be executing instructions simultaneously. When the 
CPU encounters an FPC instruction, it (1) busy- waits until the FPC becomes idle (although it can 
service interrupts), (2) causes the FPC to begin the instruction, and then (3) immediately services 
the next instruction. 

The concurrency between the CPU and the FPC must be implemented to maintain a programming 
model based on sequential instruction execution. There are two possible ways the CPU and the 
FPC may interfere with one another; they must both be disallowed: 
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a. The CPU cannot start another FPC instruction if the FPC is still busy executing the previous 
instruction. 

b. The CPU cannot reference a memory location that is being referenced by the previous (but 
still executing) FPC instruction. 

The first coordination problem is solved by the CPU’s busy wait feature, while the second one is 
solved by the assumption underlying the FPC instruction set. There is no arithmetic instruction 
that can store the result to the memory or the CPU registers. The only way to move data from the 
FPC to the outside world is through the FSTR instruction, which finishes execution as soon as the 
communication between the CPU and the FPC is finished. Therefore the CPU guarantees that all 
programs will produce the same result as if there were only one processor instead of two. 
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5.0 VERIFYING THE FPC TOP LEVEL FROM THE THREE 

COMMUNICATING UNITS 

As we recall from the previous section, one floating-point instruction is accomplished by the cooper- 
ative effort of three units: the CPU, the BIU and the APU. The verification of the communication 
among the three units is the main focus of this section. 

The FPC top-level interpreter is implemented by three interpreters: the BIU top-level interpreter, 
the APU top-level interpreter and the CPU service interpreter (fig. 3.1-1). Each interpreter has 
a separate specification, making it possible to reason independently about each interpreter. The 
specifications are then composed in order to reason about their interaction. Thus, a proof that 
each interpreter is implemented correctly can be carried out independently of the others. 

Since each interpreter is specified independently, we do not assume there is a master clock shared 
by all the units. Each unit has its own clock. Moreover, for each unit, interpreters on different 
abstraction levels also have different time scales. All communication between the units is assumed 
to be performed asynchronously. The busy waiting mechanism used by Joyce (ref. 7) was used to 
specify and verify the asynchronous interaction among the units. 


3.1 HIERARCHICAL DECOMPOSITION 

Windley (ref. 10) describes a hierarchical decomposition of a computer system as a sequence of 
interpreters: 

S => Bi => ... => B n 

where S is the structural description, and Bi through B n represent increasingly abstract specifi- 
cation of the system. Generalizing this principle leads to a tree structure or possibly a directed, 
acyclic graph, if the computer system structure is a collection of independently operating units. In 
the case of a tree, at the root of the tree we have the top-level specification for the whole system. 
The leaves of the tree correspond to the structural specifications of the physical units. The nodes 
in the middle represent various intermediate abstract specifications for the units. 

By applying the above generalized decomposition principle to the floating-point coprocessor, we 
obtain the decomposition illustrated in fig. 3.1-1. This model extends the one Windley adapted for 
his microprocessor by allowing an interpreter to be implemented by more than one lower-level inter- 
preter. Therefore, besides the vertical interaction between the lower-level and the higher-level in- 
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terpreters, there is horizontal interaction between the lower-level interpreters. The verification that 
the composition of several lower-level interpreters implements a higher-level interpreter presents a 
problem not previously formalized for hardware verification, and is addressed here. 



Figure 3.1-1: An Extended Hierarchy of Interpreters for the FPC 


We adapted a model for describing the interpreters at various abstraction levels. An interpreter is 
a process organized as a state transition system defining the state s, the environment e, and a set 
of transition functions J that relate the state at time t+1 to the state and the environment at time 
t. In our model, the environment is used only for input; output to the environment is modeled as 
part of the state. Each level in the interpreter hierarchy has its own state, environment and time 
scale. A mapping function is used to relate the states, environments and the time scale of vertically 
adjacent interpreters. 
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3.2 THE FOUR-PHASE HANDSHAKING PROTOCOL 


The FPC executes two different bus cycles, according to the direction of the transfer. They are 
the asynchronous read and asynchronous write bus cycles. The four-phase handshaking protocol 
is used to implement these two types of bus cycles. For the read cycle, the FPC detects the start 
of an asynchronous read cycle when the read request line is asserted by the CPU. The FPC puts 
its data value on the bus and asserts the acknowledgement line (dtack). The acknowledgement 
remains asserted until the read request line is lowered by the CPU to signify the end of the read 
cycle. The BIU then lowers the acknowledgement line (fig. 3.2-1). 
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Figure 3.2-1: The 4-Pha se Protocol Time Diagram 

Fig. 3.2-1 represents the actual signal exchange in the implementation of the four-phase handshaking 
protocol. The implementation of this protocol is represented in the lower levels of the interpreter 
hierarchy (e.g., CPU 4-phase). We would like, however, to define a more abstract view of message 
passing between the CPU and the BIU where the handshaking detail is hidden. This more abstract 
view of communication can then be used in the next higher level, that is, in reasoning about the 
interaction between the CPU and the BIU during the execution of an FPC instruction. 

The definition cir_read_«rite states that the read or write cycle will be successfully accomplished 
in one time unit on the more abstract (higher-level) time scale. In addition, proper signals such as 
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nev_instr and operand-ready are raised so that the BIU will know which CIR the data is latched 
into. Since the data transmitted on the data bus are of type ewordn (abstract type of a word of 
length n), type conversion is needed in both reading and writing cycles. When an instruction is 
written to the command CIR., signal nev_instr is raised. Similarly, operand-ready will be raised 
if the data is written into the output operand CIR. 


cir.read.vrite rep address read write detain dataout 

coma and response opsrand.in operand_out condition 
control nev.instr operand_ready * 

I- V t. 

(read t) => Xread cydeX 

((address t *1) => ((datain(t+l) * (nuntov rep (response t))) A 
'(nev.instr t) A 
'(opsrand.ready t ) ) I 

((datain(t+l) « (fptov rep (operend.in t))) A 
'(nev.instr t) A 
' (operand.ready t))> I 
(write t) => Xvrite cydeX 

((address t «0) => (((command(t+l))« (vtonua rep (dataout t))) A 
(nev.instr t * T)) I 

((op«rand_out(t+l) « (vtofp rep (dataout t))) A 
(operand.ready t « F) A 
(operand.ready (t+1) * T))) I 

Xidle cycle X 

((nev.instr t * F) A 
(operand.ready t * F)) 


To prove that the implementation of the four-phase handshaking protocol actually implements the 
more abstract description cir_read_write, a temporal abstraction from the lower-level time scale 
to the upper-level time scale has to be used (ref. 13). Temporal abstraction deals with the sequential 
or time-dependent behavior of a device viewed at different “grains" of discrete time. 


3.3 SPECIFICATION OF THE THREE INTERPRETERS 


This section describes the specification of the top-level interpreters of CPU service, BIU and APU. 
The state tuple and the environment tuple for each of the interpreters are listed in the following 
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two tables: 


I Interpreters 

state 

CPU-Service 

(cotc.cjeg, mem, dataout, address, read, write, cpujtate) 

BIU 

(response, operandjDut,decode_reg,resp_ready,f_ac, biujtate, start) 

APU 

(f_ac,f_reg,cw,sw,done) 


| Interpreters 

environment 

| CPUJService 

(resp_ready, datain,ir) 

BIU 

(command, condition, control, operand Jn,done,newJn8tr, operand .ready) 

APU 

(start .decode jeg) 


Although the data bus physically is one bi-directional bus, we chose to represent it as two uni- 
directional buses: detain and dataout. Fig. 3.3-1 depicts the connection between the CPU and 
BIU. Instructions and data fetched from the memory axe written by the CPU to the command 
and output operand CIR through dataout. Similarly, response and data fetched from the FPC 
acc um ulator are sent by the BIU through the detain bus. The CPU and FPC accumulator and 
registers are denoted as c_ac , c-xeg , f _ac and f -rag, respectively. 


CPU 
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Figure 3.3-1: The Statet and Environment 


11 












3.3.1 SPECIFYING THE CPU SERVICE INTERPRETER 


The CPU service interpreter is the part of the CPU specification that is responsible for communicat- 
ing with the BIU in order to execute a floating-point instruction. Since the CIRs reside in the BIU, 
reading from or writing to any CIR by the CPU is accomplished by the four-phase handshaking 
protocol. 

The CPU service interpreter specification is organized as a state machine that has six states. In 
state 0, the CPU starts the communication by sending Out the current FPC instruction to the 
BIU. The CPU then “busy waits’* in state 1 for the BIU to put the proper service request in the 
response CIR. In state 3, the CPU reads the response CIR, and enters the appropriate state to 
provide the requested service. If the response is a null primitive, then the CPU is no longer needed 
and, therefore, is free to execute other instructions; if the response is a read primitive (for FLD 
instruction), then the CPU fetches the data from the memory, raises the write request line, puts 
the data on the data bus, and goes back to state 0; if the response is a write primitive (for the 
FSTR instruction), then the CPU waits until the data is ready in the operand CIR, retrieves it 
from the data bus, and stores it to the memory. 

The function cpujervice -state determines the new state for the CPU service interpreter from 
the current state and the environment by the current value of the state counter r.p « s tate 


cpu.service.stat* n rep cpu.state * 

I- ((cpu.state * 0) => (cpu.begin n rep) I 

(cpu.state * 1) ^ (cpu.eait.l or .response n rep) | 
(cpu.state * 2) ^ (cpu.wait_4phase n rep) I 
(cpu.state * 3) => (cpu.read.r espouse a rep) I 
(cpu.state * ♦) => (cpu.vait.read n rep) I 
(cpn_put_data n rep)) 


There are four parameters for each state transition function. The second parameter rap is the 
representation parameter for abstract data types such as evordn and * memory. A number of 
abstract operations are defined on the abstract data types. For example, the function vtonum 
converts a esordn typed object to type number. The third parameter is the state tuple, and the 
last one is the environment tuple. The following is the definition of cpu-begin where the CPU sends 
out a new instruction to the BIU. The CPU raises the write request line and puts the instruction 
on the data bus. 
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cpu_b«gin a r«p (c.mc, e.rig, iw, ir, dataont , address , read, write, 
cpu_ state) (raap_raady , datain) « 
h (c_ac, c.reg, aea, ir, (nuatow rap ir), 0, F, T, 1) 


Note a few details regarding state 1, where the CPU waits for the BIU to finish patting the 
appropriate response primitive into the response CIR. Since the CPU and the FPC do not share 
the same master clock, the FPC will have to raise a response ready line (resp_ready) to inform the 
CPU when the response is ready. The MC68881 does not use the technique of a rasp_ready line. 
Instead, a so-called “synchronous" read cycle is used to read the response CIR. This “synchronous" 
read cycle relates the bus cycle timing directly to the FPC dock to allow the proper response 
primitive to be prepared. 

The top-level spedfication of CPU service relates the state at time t+1 to the state and environment 
at t by the next state function: 


cpu.service n rep (c_ac, c.reg, ir, dataout, address, read, write, 

cpu_state) (resp.ready, datain) ■ 

<- V t. (c_ac(t+l), e_reg(t+l). aea(t+l), ir(t+l). dataout(t+l) , 
address (t+1 ) , read(t+l), write(t+l), cpn_state(t+l)) * 
cpu.service.state n rep (cpu.state t) 

(c_ac t, c.reg t, sea t, ir t, dataout t, address t, read t, 
write t, cpu.state t) 

(resp.ready t, datain t) 


8.8.2 SPECIFYING THE BIU TOP-LEVEL 

In order to allow a FPC instruction to start executing, the BIU communicates with the CPU to 
obtain the necessary information, and to inform the APU to start processing in the case of an 
arithmetic instruction. There are four states for the BIU top-levd state machine. In state 0, the 
BIU is idle and waits for the next instruction to be sent over by the CPU. In state 1, the BIU 
decodes the current instruction in the command CIR and determines whether the CPU is needed 
to transfer data. If a transfer is required, a read or write primitive is placed into the response CIR. 
Otherwise, the null primitive is issued to inform the CPU of the termination of the communication 
for arithmetic instructions. Further, the APU is started when the instruction is an arithmetic 
instruction. If the instruction is FLD, the BIU waits for the CPU to place data in the operand CIR 
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and then the BIU transfers the data to the FPC accumulator. If the instruction is FSTR, the BIU 
fetches data from the FPC accumulator and stores it in the operand CIR, making it available for 
the CPU. For arithmetic instructions, the BIU waits till the APU finishes executing. 


biu_top_state n rep biu.state * 
l~ (biu.state * 0) =► (biu.idle n rep) I 

(biu_ state ■ 1) ^ (biu.decode n rep) I 
(biu_state ■ 2) => (biu.vait.op n rep) I 
(biu.state * 3) ^ (biu.fld n rep) I 

(biu.seit.apu n rep) 


In order to compose the CPU, the BIU and the APU interpreter, the three interpreters have to 
be expressed with respect to a common time scale. We chose the cpu_servi.ee clock rate as the 
common clock rate. Therefore, the behavior of biu_top and apu_top must be described in terms 
of the clock rate of cpu_service. We chose to use existential quantification to describe the BIU 
top-level behavior. More specifically, the specification states that there exists some future time t » 
such that the BIU finishes executing. If the clock of apu_top is faster or of the same speed as the 
dock of cpu_servi.ce, t ’ will be equal to t+1. However, if the apu_top dock is slower, t* will be 
bigger than t+1. 

The following definition is the APU top-levd behavior from the CPU’s point of view. The inter- 
preter for the BIU top-levd rdates the state tuple at time t+1 or t* to the state and environment 
tuple at time t, depending on whether the BIU is waiting for the CPU or is doing some work 
required for the current FPC instruction. For example, at state 1, if the FPC instruction arrives 
at CPU time t, then at CPU time t 1 the instruction will be decoded and the proper response is 
sent. Further, t* is the first time that the response is ready (First (t, t’) resp_ready), and 
the start signal to the APU will remain stably low from t to t’ (Stable (start, F, t, t’)). 
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bin.top.cpn n rsp (response, opsrand.ont, dscods.rsg, rssp.rsady, f_ac, 
bin.stats, start) 

(com and, condition, control, ops rand. in , dons, nsw.instr, 
opsrand.rsady) * 

V (t:nnn). 3 (t*:nun). ((t+l)<*tO A 

(1st stats.tnpls * (state.tnple.bin t) and 

stats.tnplstl * (stats.tnpls.bin (t+1)) and 
•nv.tnpls * (env.tnple.bin t) and 
state.tuplet* • (stats.tHpls.bin t*) in 

(((bin.stats t » 0) V (bin.stata t ■ 2)) => 

(stats.tnplstl » biu.top.stats n rsp (bin.stats t) 

stats.tnpls snv.tnpls) I 

(bin.stats t * 1) => 

((First (t, t*) (rssp.rsady)) A 
(Stabls (start, F, t, t*)) A 

(stats.tnplst 9 * (bin.dscods n rsp stats.tnpls snv.tnpls))) I 
(bin.stats t « 3) ^ 

((* (opsrand.rsady t)) => 

(stats.tnplstl * (rssponss t, opsrand.ont t, dscods.rsg t, 
rssp.rsady t, f.ac t, 3, start t)) I 
((Stabls (start, F, t, t*)) A 

(stats.tnplst* * (rssponss t, opsrand.ont t, dscods.rsg t, 
rssp.rsady t, opsrand.ont t, 0, start t)))) I 
(stats.tnplst* « (bin.top.stats n rsp (bin.stats t) 
stats.tnpls snv.tnpls)))) 


3.3.3 SPECIFYING THE APU TOP-LEVEL 

The APU top-level interpreter describes the APU behavior with respect to each floating-point 
arithmetic instruction. The state on the APU top-level does not contain the instruction register, 
the CPU accumulator, the CPU registers and the memory. Instead the APU gets the current 
instruction from the decoder register that resides inside the APU. For example, the specification 
APILFADD asserts that the content of the FPC accumulator is added to the content of a designated 
FPC register, and the result is stored in the accumulator. 
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APU.FADD n rap (f.ac, f.rag, cw, i«, dona) 

(a tart, dacoda.rag) « 
h lat (addr:nua) * (Addr n dacoda.rag) in 

((FST (FP.ADD nl n2 f.ac (f.rag addr))), *_i rag, 
cw, aw, T) 


laztStata^apu determine* the new state for the APU top-level interpreter from the current state 
and environment according to the opcode of the current instruction stored in the decoder register. 
The execution of load and store instructions do not involve the APU. For this discussion, we are 
only concerned with four arithmetic instructions, that is addition, subtraction, multiplication and 
division. 


laztStata.apu s rap opcoda * 
h ((opcode * 2) =0 (APU.FADD n rap) I 

(opcoda * 3) ^ (APU.FSUB n rap) I 

(opcoda ■ 4) => (APU.FNUL n rap) I 

(APU.FDIV n rap)) 


Similar to biu.top.cpu, apu.top.cpu specifies the APU top-level behavior from the CPU's point 
of view. It states that if the start signal has not arrived, the APU will remain idle. If the APU 
starts to execute at CPU time t, however, then there exists some future CPU time t ' that the 
APU will finish the execution of the instruction. 


apu.top.cpu n rap (f.ac, l.rag, cw, sw, dona) 

(start, dacoda.rag) * 
h V t . ('start t) => 

((f_ac(t+l), f_rag(t*l), cw(t+l), sw(t+l), don#(t+l)) • 
apu.idla n rap (f.ac t, f.rag t, cw t, sw t, dona t) 
(start t, dacoda.rag t)) I 
(3 t* . (t<t*) A 

(First (t, t’) (dona)) A 
((f.ac t*, f.rag t’, cw t*, sw t', dona t*) * 
laztStata.apu n rap (Opc n (dacoda.rag t)) 

(f.ac t, f.rag t, cw t, sw t, dona t) 

(start t, dacoda.rag t))) 
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3.4 VERIFYING THE FPC TOP-LEVEL 


This section describes the methodology used to verify that the cooperative effort of the three 
interpreters implements the FPC top-level specification. The key to this proof is the asynchronous 
communication among the three interpreters. 


3.4.1 SPECIFYING THE FPC TOP-LEVEL 

The function performed by each FPC instruction is not accomplished by the coprocessor alone, but 
requires interaction with the CPU. Hence, the state visible at this level includes the FPC registers 
plus the CPU registers and the memory contained in the CPU service interpreter state. The CPU 
registers and the instruction register do not reside inside the FPC, nor does the coprocessor directly 
reference the memory, but the FPC top-level interpreter reflects the assembly language program- 
mer’s point of view of floating-point instruction execution and treats the FPC as a single unit. 
For example, from the programmer’s point of view, the current FPC instruction being executed i6 
in the instruction register, and the FLD and FSTR instructions directly load from and store to the 
memory. 

The specification for the FPC instruction FLD at the FPC top-level is as follows, where c_ac , 
c_reg, mem and ir are the CPU accumulator, the CPU data registers, the main memory and 
the instruction register, respectively. The FLD instruction fetches data from the main memory 
and stores it to the FPC accumulator. Function (Addr n ir) returns the memory address of the 
operand that is fetched. 


FLD n rep (f_ac, l_r«g, c_ac, c.reg, a«a) (ir) ■ 

I- let data * latch rap aaa (Addr a ir) ia 

(((rtofp rap) data), f.rag, c.ac, c_rag, aaa) 


The interpreter for the FPC top-level is expressed as a predicate relating the value of the state 
tuple at time t * to the value of the state tuple at time t according to the function MaxtStata_lpc. 
The reason that each instruction is specified to finish at some time t' instead of t+1 is that the 
behavior of the FPC is specified from the CPU’s point of view. This specification will be used later 
to compose the CPU top-level specification and the FPC top-level specification to form a complete 
computer system. 
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3.4.2 WAITING STATES 

Sometime* the APU top-level interpreter and the CPU service interpreter must wait until some 
signal becomes high. During these waiting periods, the state tuple remains unchanged. For example, 
for the CPU service interpreter, its state machine waits in state 1 until the signal resp_ready 
becomes high. Using induction on the length of the wait period, we can prove theorem wait_cpu 
stating that the state counter cpujstate (which is an element of the cpu_aervice state tuple) 
remains stable while the CPU is waiting in state 1 for the signal r«sp_r«ady. 


vait.cpu « 

H cpu.ssrvics n rep (c.ac, c.rsg , asa , ir, dataout, 

address, read, write, cpu.stats) (rssp.rsady, detain) 

V (t:nua). (cpu.state t * 1) => 

StableUntil (cpu.state, 1, t, resp.ready) 


There are a number of theorems in this form. For example, theorem wait_cpu2 states that the 
memory and the instruction register remain stable until the response has arrived (because the 
CPU has not been freed from its floating-point execution duty at this point). Similarly, sait_apu 
guarantees that the FPC accumulator and registers will remain stable until the signal start from 
the BIU arrives. Theorems such as this will be used in the next section to reason about the 
interaction of the three implementing interpreters to prove the FPC top-level interpreter. 


3.4.3 VERIFYING THE FLD INSTRUCTION 

To verify the FPC top-level interpreter, the interaction of the three implementing interpreters must 
be formalized. Although the FPC top-level interpreter is defined in terms of state transitions that 
represent the execution of single instructions, each FPC transition represents some unspecified 
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number of transitions by the lower-level interpreters. An example of thiB is shown in the following 
theorem, FLD.Corrwct. 


FLD.Corrwct ■ 

I- Vrwp response oper*nd_out dwcodw.rwg biu.stwtw start conand 
condition control operand_in done nww.instr oper and_r wady 
rwsp.rw&dy i_ac f.rwg cs s* c_ac c.rwg uea ir cpu.statw 
address read write detain dataout n. 

(biu_top_cpn n rep statw.tuplw.biu wnv.tuplw.biu) A 

(apu.top.cpu n rep statw.tuplw.apu wnv.tuplw.apu) A 

(cpu.swrvicw n rep state_tuple_cpu_ service wnv.tuplw.cpu.swrvicw) A 

(cir_read_write rep 

address read write detain dataout coma and 
response opwrand.in operand_out condition control 
nww.instr opwrand.rwady) => 

(Vt. 

(Opc n(ir t) * 0) A XFLDX 
'start t A 
(biu.stwtw t * 0) A 
(cpu.statw t * 0) 

Of. 

(f.ac t* ,f_rwg f ) * 

FPCstate(FLD n rwp(f_ac t , f.rwg t,c_ac t,c_reg t.wea t,ir t)))) 


Theorem FLD.Corrwct states that the FLD instruction is correctly implemented by the three inter- 
acting units: the CPU service, the BIU and the APU. More formally, the definitions of the CPU 
service, BIU, APU and the correctness of the four-phase protocol imply that for any time t, where 
the current instruction is FLD and each of the three units are in their initial states, the effect of 
running the three lower-level interpreters together is the same as that of running the top-level FPC 
interpreter. Function FPCstata is used to filter out some elements from the state tuple that might 
be changed by the CPU after the CPU is freed from its floating-point activity. These elements are 
the CPU accumulator and registers, the memory, and the instruction register. The same is true for 
the arithmetic instructions. However, for the FSTR instruction, the entire state will be used since 
the CPU will not be free until the FSTR is finished execution. 

To illustrate the verification technique, we examine the interaction between the three units for the 
FLD instruction. At time t, the BIU and APU are idle and cpu-sarvicw initiates the communication 
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by sending out the current FPC instruction to the BIU. More specifically, the CPU raises the write 
request line and places the instruction on the data bus (state transition function cpuj>«gin). The 
correctness property of the four-phase handshaking .protocol (cir_read_write) ensures that the 
instruction is delivered to the command CIR and the signal nev_instr is raised. 

At time t+1 the state machine of the CPU service interpreter is in state 1 and waiting for the 
response ready signal resp_ready from the BIU. At time t+2 the BIU discovers that a new 
instruction is placed in its command CIR; it then decodes the instruction and puts a proper response 
primitive into the response CIR. In this case, the response is a read primitive. Since the BIU 
operates on a different clock, the decoding will be done at time t % with t ’ bigger than t (state 
transition function biujdecode). 

During the interval t+2 to t ’ , the CPU and the APU are idle. The waiting theorems described in 
the previous section ensure that the state tuples of the CPU service and the APU remain unchanged. 
The CPU detects that the proper response is ready at t ', and enters state 2 to wait for the response 
to be put on the databus. The CPU reads the response from the databus at t*+2 and realizes that 
data needs to be fetched from the memory. Thus, the CPU fetches the data, raises the write request 
line and puts the data on the databus (cpu-read-response). Prom now on, the CPU is no longer 
needed, and is free to execute other CPU instructions. The four-phase protocol ensures that the 
data will be put into the operand CIR. At time t’+4 the BIU stores the data to the accumulator 
and the whole operation is finished (biu_fld). During the entire process, the APU remains idle. A 
more detailed view of the communication among the three interpreters is illustrated in fig. 3.4-1. 


3.4.4 VERIFYING THE FPC TOP-LEVEL INTERPRETER 


Theorems like those above are proved for every FPC instruction (currently six of them). These 
theorems are used to establish a theorem stating that the three top-level interpreters of CPU 
service, BIU and APU imply the FPC top-level. The initial condition is more complicated in this 
proof. Usually when proving the correctness of a microprocessor, for instance from micro level to 
macro level, the initial condition will be that the microprogram counter is zero. Here a function 
Initial-State is defined to include the initial conditions for all three components. 
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fpc.top.w_ initial a rop (f.ac t f_reg t c_ac,c_reg,Bea) (ir) 

( start , nev.instr , resp.ready , read , biu.st at • , cpu.state ) * 

h (Vt. 

Initial.State 

(start , nsw.iastr , r ssp.r sady , r sad , biu.st at • , cpu_s t at s ,t) A 
YalidOpcode a rsp(ir t) => 

Ot 1 . 

(f«ac t'.f.reg t*) * 

FPCstmts 

(VsxtStats.fpc a rsp (ir t) 

(f.ac t.f.reg t # c.ac t.c.reg t.aea t) (ir t)))) 


Using the theorems for each valid FPC instruction and the definitions that were given above, we 
can prove the final theorem for this level: 


FPC.Corrsct * 

h Vrep response operand.out decode.reg biu.state start co—aad 
condition control operand.in done nev.instr operand.ready 
resp.ready f.ac f.reg cv sv c.ac c.reg aea ir cpu.state address 
read write detain dataout n. 

(biu.top.cpu n rep state.biu env.biu) A 

(apu.top.cpu n rep state.apu env.apu) A 

(cpu.service n rep state.cpu.service env.cpu.service) A 

(cir.read.write rep 

address read write detain dataout coananri 
response operand.in operand.out condition control 
nev.instr operand.ready) =$■ 
fpc.top.v.initial n rep (f_ac»f.reg t c.ac,c.reg t aea f ir) 

(start , nev.instr , resp.ready , read , biu.st at e , cpu.state) 
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4.0 COMBINING THE CPU AND THE FPC 


With the inclusion of the FPC, the system provides an instruction set which contains both the 
CPU instruction set and the FPC instruction set. At the abstraction level of the assembly lan- 
guage programmer, the system appears as a single unit. Furthermore, at this level of abstraction, 
the instructions appear to be executed in a sequential manner. However, the underlying imple- 
mentation of instructions is concurrent. This sequential execution of instructions is "equivalent” to 
the underlying concurrent execution only in the sense that the final result of the program will be 
identical. This section discusses our methodology for specifying and verifying the computer system 
consisting of the CPU and the FPC as shown in fig. 4.0-1. More specifically, we are going to discuss 
the approach to abstract the FPC top-level to the concurrent top-level and subsequently to the 
sequential top-level. 



Figure 4.0-1: Hierarchical Decomposition of the CPV-FPC System 


4.1 SPECIFYING THE SEQUENTIAL TOP-LEVEL INTERPRETER 


The sequential top-level interpreter (shown in outline form in Sequent ial_Top_Lavel) reflects the 
assembly language programmer’s view of sequential execution. The functions FPCJfextState and 
CPU-NextState execute the current FPC or CPU instruction pointed to by the program counter. 
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Sequent ial_Top_Level state anv « 
h V tlaa t. 

if currant instr is a FPC instr => 

state (t+1) * FPC.VextState (stats t) (anv t) I 
state (t+1) • CPU.IextState (stata t) (anv t) 


The total state at this level stata can be partitioned into three disjoint sets: (1) cpu_s, which 
includes the CPU data registers and the memory; (2) fpc_s, which includes the FPC data registers; 
and (3) joint jb, which has the program counter. If the current function is FSTR, the function 
FPCJUxtState modifies the total state. However, if the current instruction is a FPC instruction 
other than FSTR, then FPCJfextState only modifies fpc_s and joint_s. Similarly, the function 
CPUJiextState only modifies cpu_* and joint.*, but not fpc_s. Note that cpu_s is not the state 
at the CPU top-level. The same applies for fpcjB. This will be discussed in the next section. 

At the concurrent top-level, each dock tick represents the start of a new instruction. A CPU 
instruction only needs one dock cyde to complete, while a FPC instruction may need more than 
one cyde. In addition, a FPC instruction cannot be started unless the FPC has finished the 
previous instruction. The state and the environment at this level is the same as those at the 
sequential top-level. 


Concurrent_Top_Level state env * 
h V tiae t. 

if the current instr is of FPC type => 

(3 c. at t+c, the FPC instr vill be completed A 
V t*. (0<t*<c => 

the instr at t+t* is not a FPC instr I 
at t+1, the CPU instr vill be completed) 


We need to prove the following sequential top-levd correctness statement (with the correct abstrac- 
tion function). 


Concurrent_Top_Level A lon.Interf erence => Sequent ial.TopJLevel 


The non-interference property has the following four aspects: 
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4. The state of the CPU cpuj and the FPC fpc j axe disjoint. 

b. The CPU never modifies the FPC state. 

c. The FPC never modifies the CPU state except using FSTR instruction. 

d. A FPC instruction is never started unless the FPC has finished executing the previous in- 
struction. 

Conditions (a) to (c) are implicitly provided by the nature of the instruction set, and are modeled 
in Ion- Interference in the above correctness statement. The fourth condition is guaranteed by 
the implementation and modeled in the specification of the concurrent top-level interpreter. 


4.2 THE ABSTRACTION FROM THE CONCURRENT LEVEL TO THE SEQUEN- 
TIAL LEVEL 

Suppose the sequential execution flow of a instruction stream is "FiCxCiCsFiFsCiF+CiCs' , where 
F’s and C’s represent FPC and CPU instructions, respectively*. The , sequential and concurrent 
execution sequence of the above instruction stream is depicted in fig. 4.2-1. The dotted line indicates 
the mapping points of the abstraction, which will be discussed later. The instruction labels marked 
above the line are the starting time of the corresponding instructions, while the labels below the 
line represent the finishing time. For example, on the concurrent level, instruction F\ starts at time 
0, finishes at time 3. 

Fig. 4.2-2 shows the sequential top-level state and the concurrent top-level state for the above 
instruction stream at each clock tick. The CPU state cpuj on both levels are always the same at 
each clock tick. However, at some point the FPC state fpc j on the concurrent level is different 
from f pc j on the sequential level. For instance, at time 2 the total state on the sequential 
level equals the CPU state modified by Cl, the FPC state modified by instruction Fl, and the 
incremented programmer counter (the first table). At the corresponding time the total state on the 
concurrent level equals the CPU state modified by Cl, the FPC state at time 1 and the incremented 
programmer counter (the second table). In this particular example, the total state on the sequential 
level and the total state on the concurrent level are equivalent at time 3, 4, 5, 7 and 10; while at 
all other points the total states on the two levels are different. 

’because of branching instructions, the program and its sequential execution sequence might be different 
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Figure 4-2-1: The magging between the tequential tog-level and the concurrent tog-level 
More formally, assume the instruction stream is: 

F, Cj.Cj, ...Cn.F' 

Since CPU instructions C\ to C n do not interfere with F, any one of the following execution 
sequences will have the same result as the above. The only requirement is that F must be executed 
before F\ Depending on the instruction type of F and how fast each instruction is executed, the 
concurrent top-level interpreter will specify one of the following sequences: 

F, Ci, C*, C3, ..., C n , F* 

C u F, Cj, C3, C w , F* 

Ci, Cj, F, C3, ..., Cn, F* 

C\,C 2 ,Ci, ...,Cn,F,F' 

Suppose F does not finish until C, starts. This is equivalent to: 

Ci,c 2 Ci-uF, t Ci , ..., Cn, F 7 

Further assume the instruction stream starts at time 0. Then the FPC state on the concurrent 
level from time 0 to time i-1 is always equivalent to the FPC state at time 0 on the sequential 
level, since F does not finish executing until time i. However, from time i to n, the total state 
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on the two levels are identical. Although the exact time that F finishes is unknown, F will finish 
before F’ starts. Therefore at time n+1 (the time F* starts), the total state on the sequential level 
is guaranteed to be identical to the total state on the concurrent level. 

Instead of looking at the state after the execution of each instruction, a "chunk*’ of instructions is 
examined. Each "chunk” is defined by a sequence of the form FC*, denoting one floating-point 
instruction followed by sero or many CPU instructions. The start of a "chunk” is a floating- 
point instruction, and the termination is the last CPU instruction that precedes a floating-point 
instruction. In the example presented in fig. 4.2-1, the “chunks" are “FiCiCjCa", “Fj”, “F 3 C 4 ”, 
“FaC'sCe". At the end of each "chunk”, the states on the two levels are always identical. Those 
points, therefore, become the mapping points between the concurrent top-level and the sequential 
top-level. 

4.S VERIFYING THE CONCURRENT TOP-LEVEL 

As depicted in fig. 4.0-1, the concurrent top-level interpreter is implied by two lower-level inter- 
preters: the CPU top-level and the FPC top-level interpreters. The synchronization between the 
CPU and the FPC is specified by both the CPU and the FPC top-level interpreters. 

The CPU top-level interpreter determines if the current instruction is a FPC instruction. If it is, 
then the CPU will synchronize with the FPC by waiting until the FPC is idle. Otherwise, the 
interpreter relates the state at t+1 to the state and environment at t through the CPU instruction 
selected according to the current program counter: At this level, the state has part of the concurrent 
top-level state which does not concern the FPC, for example the CPU registers, the memory, the 
program counter, plus the busy line emitted by the FPC. 


CPD_Top_Lev«l state.cpu env.cpn * 
f- V tine t. 

if the current instr is FPC type => 

(if FPC is busy ^ 

state_cpu(t+l) ■ suit until FPC is idle I 
state.cpu(t+l) « finish the coaaunication) I 
state_cpu(t+i) ■ 

(Selected CPU instr) (state.cpu t) (env t) 


The concurrent top-level correctness statement is as follows: 
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Figure 4.8-1: The mapping between the concurrent top-level and the CPU, FPC top-level 


(CPU_Top_L«v*l A FPC_Top_L*vel) => Concurr*nt_Top_L*T*l 


Usually, when proving an implementation (lower-level interpreter) implies a specification (an upper- 
level interpreter), a temporal abstraction is defined from the lower-level time scale to the upper-level 
time scale (fig. 4.3-1). However, in this case there are two units on the lower level, each with its 
own independent time scale. One way to solve this problem is to map the FPC time to the CPU 
time scale. 

Fbr example, in fig. 4.3-1, F\ is actually completed by the FPC before the CPU completes the 
execution of C%. However, since the clock ticks on the concurrent top-level only represent the 
starting time of each instruction, F\ is not considered to be finished until C 3 starts executing, 
which is the same time C 3 finishes. The notation *F1 denotes the communication between the 
CPU and the FPC for the instruction F\. The waiting of the CPU for the FPC to finish execution 

is signified by *w ”, and the FPC’s idle period is signified by “i As we can see in fig. 4.3-1, 

the waiting period of the CPU is collapsed into the execution time of the previous instruction, for 
example, C4. 
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5.0 CONCLUSION 


This report describes work on the verification of a floating-point coprocessor from three commu- 
nicating implementing processes. Traditionally, hierarchical decomposition only involves vertical 
abstraction: an abstraction level is implemented by a single implementing level under it. In this 
project, three interacting processes are used to prove the correctness of the implemented process, 
that is, the FPC top-level interpreter. 

Furthermore, we described the methodology for the composition of the CPU and coprocessor top- 
level specifications to form a more abstract view of the whole system consisting of the CPU and 
the FPC. Two levels of abstraction are used, the concurrent top level and the sequential top level. 
We believe this kind of abstraction approach presents a very interesting problem. Extending this 
approach, a complete system composed of many devices can be shown to correctly implement an 
abstract system abstraction. 
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APPENDIX A: SPECIFICATION OF THE INTERPRETERS 


File: cpu_serYice.nl 
Author : Jing Pan 
Date: March 1991 

Purpose: Tha CPU part concerning communication bet aeon 

tha CPU and tha PPU. 

X 


loadf '/cagrad/panj/holdir/init .ml 1 ; ; 

load! * abstract .ml * ; ; 

loadf * tactics. ml* ; ; 

ays tarn '/bin/r* -f cpu.serrice.th' ; ; 

set.flag ('sticky 4 t trua);; 

nev.theory 'cpu.sarrica' ; ; 

loadf ‘aux.defs.al 1 ;; 

map nav_parant [ 4 aux*; 'intarf aca'3 ; ; 

antoload.def s.and.thms 4 aux 4 ; ; 

lot rep.ty * abstract.type 'intarfaca' 'fatch';; 


atata - (c.ac, c.reg, mam, ir, dataout, ad dr as a, road, vrita, 
cpu.atata) 

anr ■ (resp.ready, datain) 


cir.read.vrite 

corractnaas proparty of tha 4*phase han d sh a nkin g 
protocol . 

tha addrass of tha cirs: 


command 0 
response 1 
operand. in 2 
operand. oat 3 
condition 4 
control 6 


detain ; epa < — biu 
dataout : epu — > biu 
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I I I 

I I ditmt I con and 

| | > | oparand.out 

I CPU | | 

I I da tain I 

| |< — | response 

I I I op«rand.in 

I I I 

♦- — -♦ + 


Iota matting naw.instr and oparand.raady la instant!! 

X 

lat cir. read, writ a * new.def inition 
( ‘cir.read.write * , 

*! (rap: 'rep.ty) (addraas:nun->nun) (raad vrita :uun-> bool) 

(datain dataout :nua~>*wordn) (couand:nua->nua) (raaponaa : nus->nun) 
(operand. in; nus->f p) (oparand.out :nu*->fp) 

(condition control: nun- >nun) (oparand.raady :nun->bool) 

(naw.instr :nun->bool) • 

cir.read. vrita rap addrass raad write datain dataout 

con and raaponaa operand.in oparand.out condition 
control naw.instr oparand.raady * 

! t. 

(raad t) *> 

(addrass t ■!) *> ( (datain (t+1) * (nuatov rap (rasponsa t))) A 
'(naw.instr t) A 

'(oparand.raady t)) I 

((datain(t+l) » (fptow rap (operand.in t))> A 
'(naw.instr t) A 
' (oparand.raady t)) I 

(writs t) -> 

((addrass t -0) ■> (( (corns *nd(t+l) )■ (wtonun rap (dataout t))) A 
(naw.instr t ■ T)) I 

( (oparand.out (t+1) ■ (wtofp rap (dataout t))) /\ 
(oparand.raady t - P) A 
(oparand.raady (t+1) ■ T))) I 

X lo raad or writa X 

((naw.instr t - F) A 
(oparand.raady t » F)) M 


X 

Define tba stata transition 

CPU.sarrica stays (wait) at ovary stata until 
something happens to prompt it to go to another 

stata. 


cpu.bogin 


put the instr into tho coaaand cir, goto 1 

Siaco all tho CIB'a aro roaidod in* id# tho biu, 
any road or vrito by tho cpu froa or to tho CX!U aro 
i^loaanted by a four phaao handshaking protocol 

CPU aritoa to tho BIU cira t thoroforo "vrito * T" 
and "road • P". Vo have to apocify road boing falao 
sine# laat tiao road aight bo truo. Than road (t+1) * road t 
will aako road truo all tho tiao. 

lot epu^bogin * nov.dofinition 
('epu^bogin*. 

"I (rop: “rop.ty) (c.ac: nun) (c.r#g ; nua->nun) (aoa:oaoaory) (ir:nua) 
(dataout : ovordn) (addross : nua) (road vrito : bool) 

(cpu.state: nua) 

(rosp_ready:bool) (data in : ovordn) (n:nua) . 
cpu_begin n rop (c.ac, c.rog, bob, ir , dataout, address, road, vrito, 
cpu.state) (resp.ready, datain) ■ 

(c.ac, c.rog, aoa, ir, (nuatov rop ir) , 0, P, T, 1)" 

);; 


cpu. vait .f or _r osponao 

vait for tho roaponao froa biu to eoao 

noto ainco everything ia coaplotoly aaynchr onoua , 
tho cpu haa vait for poaaibly several eycloa 
boforo tho biu roaponao ia roady (roap.roady ■ T) 

X 

lot cpu. vait .for .response * nov.dofinition 
( 4 cpu. vai t. f or jr osponao * , 

"! (rop: ~rop_ty) c.ac c.rog bob ir dataout addross road vrito 
cpu_stato roap.roady datain n . 

cpu.vait. for .roaponao n rop (c.ac, c.rog, bob, ir, dataout, addross, 
road, vrito, cpu.atato) (roap.roady, datain) » 

('"roap.roady) ■> 

(c.ac, c.rog, aoa, ir, dataout, addross, P, P, 1) | 

(c.ac, c.rog, aoa, ir, dataout, 1, T, P, 2)" 


121 

X 

cpu. v ai t .4phaso 

tho CPU vaits ones cyclo for tho 4phaso protocol 
finish reading tho roaponao (put tho roaponao on 
tho datain bus) 

x 

lot cpu. vait .4phaso * nov.dofinition 
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( ' cpo.vait.4pha** ‘ , 

"! (rep:~rep.ty) c.ac e.r«| ara ir dataout address raad vrita 
cpu.stata resp.ready da tain n . 

cpa.vait.4pha** a rap (c.ac, c.rag, mam, ir, dataout, address, 

raad, vrita, cpu.stata) (resp.ready, data in) ■ 
(c.ac, c.rag, aaa, ir, dataout, addra**, F, F, S) M 

);; 


131 

cpu_r*ed.r*spons* 

if tha raspon*a i* to transfer data into fpc 
than goto 2 

if tha ra*pon*a i* to transfar data out of fpc 
than got 4 

also (null primitive) goto 0 

% 

lot cpu_r a ad.r espouse * nav.daf ini t ion 
( ' cpu.r *ad.r espouse * , 

•! (rap: "rap.ty) c.ac c.rag mam ir dataout addra** raad vrita 
cpu.stat* resp.ready da tain n . 

cpu.raad.ra*pon*a n rap (c.ac, c.rag, mam, ir, dataout, addra**, 
raad, vrita, cpu.stata) (resp.ready, data in) ■ 
lat data * (fetch rap) mam (Addr n ir) in 
(((vtonum rap detain) ■ raad.p) *> XfldX 

(c.ac, c.rag , mam, ir, data, 2, F, T, 0) I 
((vtonum rap detain) - vrit*.p) ■> XfstoreX 

(c.ac, c.r*g, mam, ir, dataout, 2, T, F, 4) I 
((vtonum rap detain) - vait.p) *> 

(c.ac, c.rag, mam, ir, dataout, address, F, F, 1) I 
(c.ac, c.rag, mam, ir, dataout, address, F, F, 0))" 


X4X 

X- 


cpu.vait.raed 


CPU wait one cycle for tha 4-phas* to finish reading 

lot cpo.vait.raad * nav.daf init ion 
('cpu.vait.read*, 

•! (rap: “rep.ty) c.ac c.rag mam ir dataout address raad vrita 
cpu.stat* resp.ready detain n . 
cpu.vait.raad n rap (c.ac, c.rag, mam, ir, dataout, address, 

raad, vrita, cpu.stata) (resp.ready, detain) ■ 
(c.ac, c.reg, mam, ir, dataout, address, F, F, S) M 

/ • » 


xsx 

X— 
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cpu.put.data 

writ# th# data in th# oporand.out cir to tho nonory* 
and goto 0. 

lot cpu.put.data ■ now.dof inition 
('cpu_put.dat a' , 

"! (rop:~rop.ty) c.ac c.rog ir dataout addroas road vrito 
cpu.atato roap.roady da tain n * 
cpu^ut.data n rop (c.ac* c.rog* non, ir* dataout* addroaa* 

road, vrito* cpu.stato) (roap.roady, data in) ■ 
lot nov.non ■ (storo rop) a#a (Addr & ir) datain in 

(c.ac* c_rog , now.non, ir* dataout* addroaa* F, F* 0)** 


cpu.aorrico.atato 


lost atato function for CPU aorrico. 


lot cpu.aorrico.atato * now.dof ini t ion 
( 'cpu.aorrico.atato * * 

" ! (rop:“rop.ty) (n : nun) (cpu.atato: nun) . 
cpu.aorrico.atato & rop cpu.atato * 

((cpu.atato ■ 0) »> (cpu.bogin n rop) I 
(cpu.atato * 1) ■> (cpu.vait.for.roaponao n rop) 
(cpu.atato * 2) *> (cpu_wait.4phaao n rop) I 
(cpu.atato * 3) *> (cpu.road.roaponao n rop) I 
(cpu.atato ■ 4) *> (cpu.vait.road n rop) I 
(cpu.put.data n rop)) 11 


\ * . 
# » • 


cpu.aorrieo 

Tho top lorol doacription for CPU aorrico. 


—X 


lot cpu.aorrieo * now.dof init ion 
('cpu.aorrieo* * 

**! (rop: “rop.ty) (c.ac : nun->nun) (c.rog: nun- >nun->uua) 

(non : nun->*moaory) 

(ir:nun->mn) (dataout :nun->owordn) (addroaa :nun->nun) 

(road vrito :nun->bool) (cpu.atato: nun- >smn) 

(roap.roady :nua->bool) (datain :nua->*vordn) (n:nun) . 
cpu.aorrieo n rop (c.ac, c.rog* non, ir, dataout, addroaa, road, vrito* 
cpu.atato) (roap.roady* datain) - 
! t. (c.ac(t+l), c.rog (tM) , non(t+l)* ir(t+l), dataout(t+l) , 
addroaa (t+1) * road(t+l), vrito(t+l), cpu.atato(t+l)) - 
cpu.aorrico.at at# n rop (cpu.atato t) 

(c.ac t* cjrog t* non t, ir t* dataout t, addroaa t* road t* 
vrito t* cpu.atato t) 

(roap.roady t, datain t)** 

> • • 

/ • » 
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eloso.thooryO ; ; 
* litOis 


Pilo: biu.top.Ml 
Author: Jing Pun 
Onto: March 1091 

Purposo: Tho top IotoI spoc of tho BIU, riov it u t 
•tut# transition machine. 


loudf Vcsgrud/punj/holdir/init .ml* ; ; 
loudf * obstruct . nl 4 ; ; 

ujstoM */bin/r» -f biu.top.th 4 ; ; 

sot .f lug ('sticky 4 , truo);; 

Mov.thoory 4 biu.top 4 ;; 

loudf 'uux.dofs.ml 4 ; ; 

nap n#w.puront [ 4 uuz 1 ; 4 interface 4 ; 'fptype 4 ];; 

uutoloud.dofs.und.thms 'fptype 4 ;; 

lot rop.ty ■ ubstruct.typo 'interface 4 ‘fotch 4 ;; 


l 

stuto ■ (response, operund.out, decode.reg, resp.reudy, f.Ac, 
biu.stuto, sturt) 

ottv ■ ( command, condition, control, oporund.in, dono, noo.instr, 
oporund.ro udy ) 


m 

biu.idlo 


if *aov.instr thon busy suit 

olso sot fpc status to busy, and goto 1 


lot biu.idlo ■ nov.dof inition 
C biu.idlo', 

"! (rop: “rop.ty) (rosponso: bum) (op or and. out : fp) 

(docodo.rog: bum) (rosp.ro udy: bool) (biu.stuto: bum) (start: bool) 
(command: bum) (condition: nun) (control: bum) 

(oporund.in: fp) (dono: bool) (no w. ins tr: bool) (f.ac:fp) 



(operand.ready ’ bool ) (n : an) . 

bin. idle a rop (response, operand.out, decode.reg, roop.roody, f.ac, 
biu.state, start) (cowand, condition, control, oporand.in, 
dono, nev.instr, oporand.ro ad j) * 

('nev.instr) ■> 

(roaponao, operand. out , decode .r eg, resp.ready, f.ac, 0, start) I 
(response, operand. out, decode.reg, resp.ready, f.ac, 1, start)** 

);; 


XiX 

X 

biu.de code 

BIU decodes the instruction and send back the response. 

In the case of FSTR, it also send back the data. 

let biu.decode ■ ne v.def inition 
(‘biu.decode* , 

**! (rep: ‘rep.ty) response operand. out decode.reg resp.ready biu.state 

couand condition control oporand.in done nev.instr f.ac operand.ready 

a . 

biu.decode a rep (response, operand.out, decode.reg, resp.ready, f.ac, 
biu.state, start) (cowand, condition, control, oporand.in, 
done, nev.instr, operand.ready) ■ 

(need.read a cowand) ■> XfldX 

(read.p, operand.out, decode.reg, T, f.ac, 2, start) I 
(need. write a cowand) *> XfstoreX 

(vrite.p, f.ac, decode.reg, T, f.ac, 0, start) I 
(null.p, operand.out, cowand, T, f.ac, 4, T)** XfaddX 

/M 


X2X 

X — 

biu.vait.op 

The BIU vaits one cycle 

X 

let biu.vait.op * no v.def inition 
('biu.wait.op* , 

*! (rep: 'rep.ty) response operand.out decode.reg resp.ready biu.state 

cowand condition control oporand.in done nev.instr f.ac operand^ready 
a . 

biu.vait.op a rep (response, operand.out, decode.reg, resp.ready, f.ac, 
biu.state, start) (cowand, condition, control, operand.ia, 
done, nev.instr, operand.ready) ■ 

(response, operand.out, decode.reg, resp.ready, f.ac, 3, start)" 

);; 


X3X 

X 

biu.fld 

let biu.fld * ne v.def inition 
(*biu.fld* , 
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”! (rep : ‘rep.ty ) raaponaa operand. out dacoda.rag raap.raady biu.atate 

coanand condition control operand, in dona nav.inatr f.ac operand.ready 
n . 

biu.fld n rap (rasponaa, oparand.out, dacoda.rag, raap.raady, f.ac, 
biu.atate, at art) (conn and, condition, control, operand. in, 
dona, nav.inatr, oparand.raadj) ■ 

('operandjready) ■> 

(raaponaa, operand. out, dacoda.rag, reap. ready, f.ac, 3, at art) I 
(reaponae, oparand.out, dacoda.rag, raap.raady, oparand.out, 0, atart )" 


X4X 

X 

biu.vait.apu 

if apu la not dona vitb tha currant inatr. 
than vait 

alaa aat atatua to idle and goto 0 

lat biu.vait.apu - nav.daf inition 
( ‘biu. vait .apu* , 

"! (rap: "rep.ty) raaponaa oparand.out dacoda.rag biu.atata 

coaaand condition control operand. in dona nav.inatr f.ac operand.ready 
n . 

biu.vait.apu n rap (raaponaa, oparand.out, dacoda.rag, raap.raady, f.ac, 
biu.atata, atart) (coanand, condition, control, operand. in, 
dona, nav.inatr, operand.ready) * 

(dona) *> 

(raaponaa, oparand.out, dacoda.rag, raap.raady, f.ac, 0, atart) I 
(nav.inatr -> 

(vait.p, oparand.out, dacoda.rag, raap.raady, f.ac, 4, atart) I 
(raaponaa, oparand.out, dacoda.rag, raap.raady, f.ac, 4, atart))*' 


biu.top.at at a 


lat biu.top.at at a ■ nav.daf inition 
( ‘biu.top.atate * , 

*! (rep: "rep.ty) (n : nun) (biu.atata: nun) . 
bin.top.at at a n rap biu.atate * 

(biu.atata ■ 0) *> (biu. idle n rap) I 
(biu.atata • 1) »> (biu.decode n rap) I 
(biu.atata • 2) ■> (biu.vait.op n rap) I 
(biu.atate * 3) ■> (biu.fld n rap) I 

(biu.vait.apu n rep) M 

);; 


•X 


biu.top 
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BIU top IitiI Uharior 


■X 


let bin. top - nev.def inition 
('biu.top' » 

*f Crop : *rep.ty) (retpnse :mis->nus) (operand.out :nus->fp) 

(decode.reg :miB->nus) (rosp.ro ady :nus->bool) (biu.state:nus->nus) 
(start : nus->bool) 

(cossand : nuB->nui) (condition :nus->nus) (control :ans‘>nn) 
(operand. in : nus->fp ) (done: nun- >bool) 

(nov.instr : nus-> bool) (f.ac:nus->fp) (operand.ready:iiua->bool) 
(i:m>) . 

bin. top n rop (response, operand. out , decode.reg, resp.ready, f.ac, 
biu.state, start) 

(cosnand, condition, control, operand. in, done, nov.instr, 
operand.ready) « 

t t. (response(t+l), operand.out (t+1) , 

decode .reg (t+ 1) , resp.ready (t+1) , f.ac(t+l), biu.state (t+1 ) , 
start(t+D) ■ 

biu.top.state n rop (bin.state t) (response t, operand.ont t, 

decode.reg t, resp.ready t, f.ac t, biu.state t, start t) 
(cosnand t, condition t, control t, operand. in t, done t, 
nov.instr t, operand.ready t)“ 


X* 


biu.top.cpu 


BIU top level behavior, CPU’s point of vies 

X 

lot biu.top.cpu * nev.def inition 
('biu.top.cpu' , 

"S (rop : "rep.ty) (response: nun- >nun) ( ope rand, out :nun->fp) 

(decode.reg: nun- > nus) (resp.ready : nun- >bool) (biu.state :nus->nus) 

(start : nua->bool) 

(cossand : nus- >nus ) ( condition: nus- >nus) (control :nus->nus) 

(operand. in :nus->fp) (done: nus- >bool) 

(nov.instr : nus-> bool) (f .ac : nus->f p) (operand.ready :nns->bool) 
(sinus) . 

biVL.top.cpu n rep (response, operand. out, decode.reg, resp.ready, f.ac, 
biu.state, start) 

(cossand, condition, control, operand. in, done, nov.instr, 
operand.ready) » 

f (tinus). ? (t’inus). ((t+l)<»t’) A 

(lot state.tuple ■ (response t, operand.out t, decode.reg t, resp.ready t, 
f.ac t, biu.state t. start t) and 
state.tupletl - (response (tel) , operand.out (t+1 ) , decode.reg (tel ) , 

resp.ready (tel), f.ac(t+l), biu.state (tel), start(tei)) and 
env. tuple ■ (cossand t, condition t, control t, operand. in t, done t, 
nov.instr t, operand.ready t) and 
state.tuplet ’ - (response t’, operand_out t*, decode.reg t v , 

resp.ready t f , f.ac t*, biu.state t*, start t*) in 
(((biu.state t » 0) \/ (biu.state t » 2)) ■> 

(state.tupletl ■ biu.top.state n rep (biu.state t) 

state.tuple env. tuple) | 

(biu.state t ■ 1) ■> 
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((First (t, tO (resp.ready)) /\ 

(Stable (start, F, t, t 1 )) A 

(state.tuplet ’ » (biu.de code & rsp state.tuple env.tuple))) | 
(biu. state t » 3) »> 

( ( ' (operand .ready t)) *> 

(etate.tupletl ■ (response t, ops r sad. out t, decode.reg t, 
resp.ready t, f.te t, 3. start t)) I 
(CStabls (start, F, t, ♦*)> A 
(state.tuplet * * (rssponss t, operand^out t, deeode.reg t, 
resp.ready t , operand. out t, 0, start t)))) I 
(state.tuplet* • (biu.top.state & rep (biu.state t) 



close. theory 0 ; ; 
fixitO;; 


X 

Fils: apu.top.nl 
Author: Jing Pan 
Data: March 1991 

Purpose: The top level description of the APU 


X 


loadf '/csgrad/panj/holdir/init .ml' ; ; 
load! ' abstract . nl' ;; 
system '/bin/rn -f apu.top.th' ; ; 
set.flag ( 4 sticky' , true);; 
nev.theory ' apu.top ' ; ; 
loadf 'aux.defs.nl';; 

up new_parent ['aux*; 'interface'; 'fptype'];; 

autoload.defs. and. thus 'aux* ; ; 
autoload.def s.and.thms 'fptype * ; ; 


let rep.ty ■ abstract.type 'interface' 'fetch';; 



ft tat* on the top level for A TO: 

(f.ac, f.reg, cv t »v, dono) 

«&? on tho nicro IotoI for VEU: 
(start, decode.reg, operand. in) 


X 

Arithmetic Instruction 

perform arthmetic operation on single or double 
precision floating point (real) numbers: 


FADD, FSUB, FMUL, FDIV, FKEK 


These operations are entirely internal to the coprocessor. 
X 


let ml * nev.de finit ion 
('nl', "nl * 8 M );; 

let n2 ■ nev.def ini t ion 
(-m2-, "n2 - 23");; 


X 

C.FADD 

The floating point add instruction, where n is the 
instruction length 

(f.ac) + (f.reg i) -> f.ac 

let C.FADD - nev.def init ion 
(‘C.FADD' , 

"! (rep : “rep.ty) (f.ac : fp) (f.reg : num->fp) 

(cv sv : booltboolfboolfbool ) (done : bool) 

(start :bool) (dec ode. r eg : num) (n:num) . 

C.FADD n rep (f.ac, f.reg, cv, sv, done) 

(start, decode .reg) ■ 
let (addr :num) ■ (Addr n decode. reg) in 

((FST (FF.ADD nl n2 f.ac (f.reg addr))), f.reg, 
cv. sv, T)" 


c.rsoB 
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Tbs floating point sub instruction, vbsrs n is tbo 
instruction lsngtb 

(f.ac) - (f.rsg i) -> f.ac 

X 

1st C.PSUB ■ nso.dsfinition 
('C.PSUB' , 

•*! (rsp : “rsp.ty) f. sc f.rsg cv sv dons start 
dscods.rsg n . 

C.PSUB n rsp (f.ac, f.rsg, cv, sv, dons) 

(start, dscods.rsg) ■ 

1st (addr:nun) * (iddr n dscods.rsg) in 
((PST (FP.SUB nl n 2 f.ac (f.rsg addr))), f.rsg, 
cv, sv, T)** 


C.PHUL 

Tbs floating point nul instruction, vhsrs n is tbs 
instruction lsngtb 

(f.ac) s (f.rsg i) -> f.ac 

X 

1st C.FHOL ■ nso.dsfinition 
('C.PHUL', 

"! (rsp ; *rsp.ty) f.ac f.rsg cv sv dons start 
dscods.rsg n . 

C.FHUL n rsp (f.ac, f.rsg, cv, sv, dons) 

(start, dscods.rsg) • 

1st (addr: nun) - (Addr n dscods.rsg) in 
((PST (PP.KUL nl n2 f.ac (f.rsg addr))), f.rsg, 
cv, sv, T) H 


C.PDIV 

Tbs floating point div instruction, vbsrs n is tbs 
instruction lsngtb 

(f.ac) / (f.rsg i) -> f.ac 

1st C.PDIV ■ nsv.dsf inition 
('C.PDIV', 

•t (rsp : ~rsp.ty) f.ac f.rsg cv sv dons start 
dscods.rsg n . 

C.PDIV n rsp (f.ac, f.rsg, cv, sv, dons) 

(start, dscods.rsg) * 

1st (addr:nun) « (Addr n dscods.rsg) in 

((PST (PP.DIV nl nl f.ac (f.rsg addr))), f.rsg, 
cv, so, T)" 

/ • * 
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X 


apu.idla 

ATO wait for tha BIU to pass an inatr 

lot apu.idla ■ nav.daf inition 
('aptt.idla‘ # 

“! (rap : *rap.ty) f.ac f.rag cv sv dona a tart 
dacoda.rag n . 

apu.idla a rap (f.ac, f.rag , cv, tv, dona) 
(start, dacoda.rag) ■ 

(f.ac, f.r#|, cv, s«, dona) M 

/ • » 


VaxtStata.apu 

Dafina tha nazt at at a of APU top laval 

lot VaxtStata.apu ■ nav.daf inition 
('VaxtStata.apu* , 

•*! (rap : “rap.ty) (opcoda :nua) a . 

VaxtStata.apu a rap opcoda * 

X ((opcoda ■ 0) ■> (C.FLD a rap) ! 

(opcoda ■ 1) ■> (C.FSTR a rap) | X 

((opcoda * 2) ■> (C.FADD a rap) I 

(opcoda ■ 3) *> (C.FSUB a rap) I 

(opcoda * 4) »> (C.FHUL a rap) I 

(C.FDIV a rap) ) M 

in 


•pu.top 

Tho top lovol description of APU. 

x 

lot opa_top “ now.dof ini t ion 
(*apu.top*, 

*! (rap : ~rap.ty) (f.ac : nua->fp) (f.rag : nun->noa->fp) 

(cv av : nun->boolfboolfbool#bool) 

(dona : nua->bool) (start : nua->bool) (dacoda.rag : nua->nua) 
(n:aua) . 

apu.top a rap (f.ac, f.rag, cv, sv t dona) 

(start, dacoda.rag) ■ 

f t * (f.ac(t+l), f.rag(t+l), cv(t+l) # sv(t+l), 
doaa(t+D) m 
("start t) ■> 

apu.idla a rap (f.ac t, f.rag t, cv t, sv t, 
dona t) (start t, dacoda.rag t) I 
BaztStata.apn a rap (Ope a (dacoda.rag t)) 

(f.ac t, f.rag t, cv t, sv t, dona t) 

(start t, dacoda.rag t) H 

/»• 
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x 

opu.top.epu 


Tb« top lovol description of A TO, from tho CPU 
point of viov. 

lot opu.top.cpu - noo.dof inition 
(‘opu.top.cpu* , 

*! (rop : ~rop.ty) (f.oc : nun->fp) (f.rog : nun- >nun- >f p ) 
(cv ov : nun->bool#bool#bool#bool) 

(dono : nun->bool) (otort : nuo~>bool) (docodo.rog : nun 
(n:nun) « 

•pu.top.cpu n rop (f.oc, f.rog, cv, ov, dono) 

(otort, docodo.rog) » 
t t . Cotort t) ■> 

( (f.oc (t+i ) # f.rog(t+l) , cv(t+l), sv(t+l), dono (t+1)) * 
opu.idlo n rop (f.oc t, f.rog t, cv t, ov t, dono t 
(otort t, docodo.rog t)) | 

(? t* . (t<tO /\ 

(First (t, t*) (dono)) /\ 

((f.oc t», f.rog t», cv t', ov t», dono %>) ■ 
VoztStoto.opu n rop (Ope n (docodo.rog t)) 

(f.oc t, f.rog t, cv t, ov t, dono t) 
(otort t, docodo.rog t))) H 

);; 


closo.thooryO ; ; 
quitO;; 


->nun) 


I 
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APPENDIX B: USEFUL LEMMAS 


File: sarrica.lasaa.Bl 
Author: Jing Pan 
Dot#: March 1991 

Purposa: Lmu for "cpu.sarrica" . 


load! */csgr ad/pan j/holdir/iait.al* ; ; 

loadf “abstract. al‘ ;; 

systan */bin/ra -f sarrica.laaaa.th* ; ; 

sat.flag (‘sticky*, trua);; 

aav.thaory 'sarrica.laama* ; ; 

loadf ‘aux.dafs.al*;; 

map naw_parant [‘cpu.sarrica*] ; ; 

autoload.dafs.asul.thBS ‘cpu.sarrica* ; ; 

lot rap.ty ■ abstract. typa *intarfaca* ‘fatch*;; 

map loadf [‘digit*; 'dacimal'];; 


cpu.sarrica.lamma 

x 

lat cpu.sarrica.lamma - prora.thm 
( 'cpu.sarrica.lamma* , 

"9 rap:~rap.ty (n : sub) . 

((cpu.sarrica.stata n rap 0 ■ (cpu.bagin s rap)) /\ 
(cpu.sarrica.stata & rap 1 ■ (cpu.wait.for.rasponsa a rap)) A 
(cpu.sarrica.stata a rap 2 ■ (cpu.wait.dphasa a rap)) A 
(cpu.sarrica.stata a rap 3 - (cpu.raad.rasponsa a rap)) A 
(cpu.sarrica.stata a rap 4 - (cpu.rait.raad a rap)) A 
(cpu.sarrica.stata a rap S * (cpu.put.data a rap))) H f 
REPEAT CES.TAC 

THEI OICE.REVRITE.TAC [cpu.sarrica.stata] 

THEV DEC.EQ.TAC 

);; 


lat MICRO. RULE addrass instr ■ 

(GEI.ALL (DISCH.AU. 

(GEI "t" 

(DISCS "(cpu.stata t - "addrass)” 

(REWRITE. RULE [cpu.sarrica.lamma ; instr] 
(SUBS [ASSUME "(cpu.stata t - "addrass)'*] 
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(8PSC.AU 

(REVRITE.ROU [cpu.ssrvice] 

(ASSUME “cpu.ssrvics a (rep:*rep_t j) (c_*c , c.reg , aea, ir , 

dstaout, address, read, writs, cpu.ststs) 
(rssp.rssd y, dataia)" 

)»)))»>;; 


X 

Oas lsaaa for each individual stats 

x 

1st cpa.bsgia.lsau - savs.tha 
( 'cpa.bsgia.lsua ' , 

UCRO.RULK -0" cpu.bsgia 


lat cpu.vait_for_rasponsa.laua - sava.tha 
('cpu_vait_for.rasponse.lana* a 
HICRO.RULE "1" cpu.wait.f or.rasponsa 

)«• 


let cpu_vait_4phase_lena • save.thn 
(*cpu_vait_4phtsa_Iena‘ , 
HICRO.RULE "2*' cpu.vait.4ph as* 

\s . 

AM 


lat epu_raad.raaponaa.lana » sava.tha 
( < cpu_read_response_lena* , 
HICRO.RULE M 3” cpu.raad.raaponaa 

). - 

• 9 * 


lat cpu.vait.raad.lana ■ save.th a 
( 1 cpu_vait.raad.laua * , 
HICRO.RULE "4" cpu.vait.raad 

%S. 

/ • » 


lat cpu.put_data.lana • sava.tha 
( * cpu_put .data.leaaa * t 
HICRO.RULE "S’* cpu.put.data 

);; 


cloaa.thaoryO ; ; 
4pit();; 
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Fila: biu.lammo.nl 
Author: Jing Pun 
Dota: lUrch 1991 

Purpose: A group of l«uu nbout tha top spac 

of tha BIU. 


X 


loodf * /csgr od/pon j /holdir/ init .ml ' ; ; 
loodf 'obstroct.nl 4 ;; 
loodf 4 tactic*. ml 4 ;; 

system '/bin/ra -f biu.lammo.th ' ; ; 

B«t.fla| ('sticky'. trua);; 

nsv.thaory 'biu.lamno 4 ; ; 

loodf 'onx.dafs.nl 4 ;; 

map naw_porant [ 4 oux 4 ; 'intarfoca 4 ; 4 fptypa 4 ; 4 biu_top 4 ];; 

omtolood.dafs.ond.thms 'fptypa 4 ;; 
oatolood.dafs.ond.thms ‘biu.top 4 ;; 

lot rap.ty * obstroct.typa ‘intarfoca 4 'fatch 4 ;; 
mop loodf ['digit'; ‘dacimol 4 ];; 


biu.top.lasmo 


lat bim.top_lasno ■ proTa.thm 
( 'biu_t op.lammo 4 . 

“! rap: "rap.ty (n : nun) . 

((biu.top.st ota n rap 0 - (biu.idla n rap)) A 
(bim.top.st ota n rap 1 * (biu.dacoda n rap)) A 
(bim.top.stota n rap 2 * (biu.voit.op n rap)) /\ 
(bin.top.stota n rap 3 » (biu.fld n rap)) /\ 
(bim.top.st ota n rap 4 - (bim.voit.opu n rap)))". 
BEPEAT 6EV.TAC 

THE! OBCE.REVRITE.TAC [bim.top.stota] 

THE1 DCC.XQ.TAC 

);; 


lot taci - 

BEPEAT STRIP .TAC 

THE! REVRITE.ASM.THH.TAC bim.top.cpm 2 
THE1 AS SUM. LIST (\ths. ASSUHE.TAC 
(SPEC "t" (al 1 tbs))) 

THU BR2LAST.TAC 

THEI REVRITE.ASM.THH.TAC LET.DEF 1 
THEI BK2LAST.TAC 
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THEE POP.ASSUM (\thl. ASSUME.TAC 
(BETA.RULE thl)) 

X RES.TAC — resolution only handles implication, not conditions X 
THU REVRITI.ASM 2 1 
TKEI F0P.A5SUH (\thl. ASSUME.TAC 

((COW. RULE DEC. EQ. COW) thl)) 

THE! POP.ASSUH (\thl . ASSUME.TAC 

(COW. RULE (OICE.DEPTH.COW IW.dec.COW) thl)) 

THEE REVRITE.ASM.THM.TAC biu.top.leaaa 1 
THEE ASM.REVRITE.TAC □ ; ; 


1st statsl.TAC ■ 

REPEAT STRIP.TAC 

THEE REVRITE.ASM.THM.TAC biu.top.cpu 2 
THEE ASSUM.LIST (\ths. ASSUME.TAC 
(SPEC *t* (si 1 ths))) 

THEE RM2LAST.TAC 

THEE REVRITE.ASM.THM.TAC LET.DEF 1 
THEE RM2LAST.TAC 

THEE POP.ASSUM (\thl . ASSUME.TAC 
(BET A. RULE thl)) 

X RES.TAC — resolution only handles inplication, not conditions X 
THEE REVRITE.ASH 2 1 
THEE POP.ASSUM (\thl. ASSUME.TAC 

( (COW. RULE DEC. EQ. COW) thl)) 

THEE POP.ASSUM (\thl. ASSUME.TAC 

(COW. RULE (OICE.DEPTH.COW IEV.dec.COW) thl)) 

THEE ASM.REVRITE.TAC □ ; ; 


x 

Okie leans for each individual state 


biu.de code .leans 

let biu.decode.lenaa ■ prove. tha 
( * biu.decode.lena ' , 

•f (rep: “rep.ty) (response: nun->nua) ( operand. out : nun->fp) 

(decode.reg:nua->xmn) (resp.ready :nua->bool) (biu.state:nua->sua) 

(start :nua->bool) (conn and : mia->mia) (condition: nun- >nua) 

(control :ma->nun) (operand.in:nua->fp) (done: nun- >bool) 
(new.instr:nua->bool) (f.ac:nua->fp) (operands e ad y : nua->bool) (n:nua). 
biu.top.cpu n rep (response, operand. out, decode.reg, resp.ready, f.ac, 
biu.state, start) (coaaand, condition, control, operand. in, 
done, new.instr, operand.ready) »■> 

(ft. 

(biu.state t - I) — > 

? t*. ((tel)<-tO A 

(First (t, t*) (resp.ready)) A 
(Stable (start, F. t, t’)) A 

((response t», operand. out t*, decode .reg t* # resp.ready t\ f.ac t», 
biu_state t *, start t*) ■ 

biu.de code n rep (response t , operand.out t , decode.reg t , 
resp.ready t, f.ac t, biu.state t, start 
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statel.TAC) ; ; 


(eouaa d t, condition t, control t a operand. in t, 
dono t, nee. ins tr t, operand.ready t)))". 


biu.fld.lMM 

X 

lot biu.fld.lona - proTe.tha 
<‘bin.fl4LloBM\ 

• ! (rop: "rop.ty) (response: nun->nun) (operand.out : nun->fp) 

(decode.reg :num->nun) (resp.ready :nun->bool) (biu.state: nun- >nun) 

(start : nun- >bool) (coutnd : nun -> nun) ( condi t ion :xmn->nnn) 

(control: mis- >nun) ( operand. in : nuB->f p) (done : nun- >bool) 
(nev.instr:xmn->bool) (f .ac : nun->f p) (operand.ready:nun->bool) (n:num). 
bin.top.cpu n rep (response, operand.out, decode.reg, resp.ready, f.ac, 
biu.state, start) (connand, condition, control, operand.in, 
done, nes.instr, operand.ready) **> 

(!t. 

(biu.state t ■ 3) •*> 

? t’. ((t+l)<-t») A 

(("(operand.reedy t)) ■> 

( (response (t+1 ) , operand.out (t+1) , decode.reg (t+1) , 
resp.ready (t+1), f.ac (t+1), biu.state (t+1 ) , start (t+1)) * 
(response t, operand.out t, decode.reg t, resp.ready t, f.ac t, 

3, start t)) I 

((Stable (start, F, t, t *)) /\ 

( ( (response t * , operand.out t * , decode.reg t * , resp.ready t * , 
f.ac t*, biu.state t', start t # ) » 

(response t, operand.out t, decode.reg t, resp.ready t, 
operand.out t, 0, start t)) ))))**, 

REPEAT STRIP .TAC 

THEI REWRITE. ASK.THM.TAC biu.top.cpu 2 
THEI AS SUM. LI ST (\ths. ASSUKE.TAC 
(SPEC M t" (el 1 the))) 

THEI POP.ASSUK (\thl. 

STRIP. ASSUKE.TAC thl) 

THEI RM3LAST.TAC 

THEI REWRITE. ASK.THM.TAC LET.DEF 1 
THEI RM2LAST.TAC 

THEI POP.ASSUK (\thl . ASSUKE.TAC 
(BETA.RULE thl)) 

X RES.TAC — resolution only handles implication, not conditions X 
THEI REVRITE.ASK 3 1 
THEI POP.ASSUK (\thl. ASSUKE.TAC 

((COIY.RULE DEC.RQ.CCWV) thl)) 

THEI POP.ASSUK (\thl . ASSUKE.TAC 

(COIY.RULE ( 01 CE. DEPTH. CO IV IIV.dec.COIV) thl)) 

THEI III STS .TAC M t*:nua" 

THEI ASH.REVRITE.TACD 


let TAC2 - 
REPEAT STRIP.TAC 


SO 


THE! REVRITE.ASH.tHH.TlC biu.top.cpu 2 
THE! ASSUH.LXST (Uhs. ASSUHE.TAC 
(SPEC -t M (el 1 ths))) 

THEE POP.ASSUH (Uhl . 

STRIP. ASSUKE.TAC thl) 

THEM RH3LAST.TAC 

THEM REVRITE.ASH.THH.TAC LXT.OEP 1 
THEM RH2U5T.TAC 
THEM POP.ASSUH (Uhl* ASSUHE.TAC 
(BETA.RULS thl)) 

X RSS.TAC — resolution only handles implication, not conditions X 
THEM REVRITE.ASH 3 1 
THEM POP.ASSUH (\thl . ASSUKE.TAC 

((COMV.RULB DEC.EQ.COMV) thl)) 

THEM POP.ASSUH (Uhl. ASSUHE.TAC 

(COMV.RULE ( OM CE.DEPTH.COMV IMV.doc.COMV) thl)) 

THEM REVRITE.ASH.THH.TAC biu.top.loms 1 
THEM ASH.REVRITE.TAC □ ; ; 


biu.vsit.spu.loms 

lot biu.vait.apu.l earns ■ pr ovo.thn 
( *biu.va it .apu. lemma * , 

M ( (rop: “rop.ty) (rosponso: num->num) (oporsnd.out : nun->fp) 

(docodo.rog :nus->ztus) (rosp.rosdy : nua->bool) (biu.st sto :nun->mim) 

(start :num->bool) (command: nun- >nua) (condition: nun- >nun) 

(control :num->xraa) (operand.in:nua->fp) (done: nun- >bool) 

(nov.instr :num->bool) (f.sc: nun- >fp) (oporand.roady :nua->bool) (n:num). 
biu.top.cpu n rop (rosponso, oporsnd.out, docodo.rog, rosp.rosdy, f.sc, 
biu.st sto, start) (command, condition, control, operand. in, 
dono, nov.instr, oporand.roady) **> 

(!t. 

(biu.st at# t » 4) *■> 

? t*. ((m)<-t*) /\ 

( (rosponso t * , oporsnd.out t * , docodo.rog t 1 , rosp.rosdy t ' , f.sc t ’ 
biu.ststo t * , start t*) * 

biu.vait.apu n rop (rosponso t, operand. out t, docodo.rog t, 
rosp.rosdy t, f.sc t, biu.ststo t, start t) 

(command t, condition t, control t, operand. in t, 
done t, nov.instr t, oporand.roady t))) M , 

TAC1 


biu.vsit. op. loams 

lot biu.vait.op.lemma ■ provo.thm 
( r biu.vsit.op.loams * , 

** (rop: “rop.ty) (rosponso: nua->num) ( operand. out : nun->fp) 

(docodo.rog :num->num) (rosp.rosdy :num->bool) (biu.ststo :num->nnn) 

(start :num*>bool) (command : nua->nua) (condition :num->num) 

(control :num->nun) (operand.in:nun->fp) (done:nua->bool) 

(nov.instr : num->bool) (f.sc :num->fp) (operand^eady:nun->bool) (n:num) . 
biu.top.cpu a rop (rosponso, oporsnd.out, docodo.rog, rosp.rosdy, f.sc, 


biu.state, start) (connand, condition, control, operand. in, 
done, nev.instr, operand.ready) n > 

Ot . 

(biu.state t * 2) — > 

((response (tel) , operand. out (tel) , decode.reg(tel) , 

resp.ready (tel) f f.ac (tel), biu.state(tel) , start (tel)) ■ 
biu.vait.op n rep (response t, ope rand, out t, decode.reg t, 
reap. ready t, f.ac t, biu.atate t, start t) 

(conmand t, condition t, control t, operand. in t, 
done t, new. ins tr t, operand.ready t))) M , 

T1C2 

);; 


X 

bin.idle.lena 

let bin.idle.lenna - prowe.thn 
Cbiu.idle.lena 1 , 

*! (rep: “rep.ty) (response: nui->nua) (ope rand. out : nun->fp) 

(decode.reg: nun- >nun) (reap.ready:nun->bool) (biu.atate : nun- >nun) 
(start: nun- >bool) (conn and : nun->nun) (condition: nun- >nun) 

(control: nun- >nun) ( operand. in :nun->fp) (done: nun- >bool) 

(nen.instr : nun->bool) (f.ac :nun->fp) (operand.ready :nun->bool) (n:nun). 
biu.top.cpu n rep (response, operand.out, decode.reg, resp.ready, f.ac, 
biu.atate, start) (connand, condition, control, operand. in, 
done, nev.instr, operand.ready) “> 

(it* 

(biu.atate t * 0) *»> 

((response (tel), operand.out (tel) , decode.reg(tel) , 

resp.ready (tel ) , f.ac (tel), biu.atate (tel ) , start (tel)) ■ 
biu.idle n rep (response t, operand.out t, decode.reg t, 
resp.ready t, f.ac t, biu.atate t, start t) 

(connand t, condition t, control t, operand. in t, 
done t, nev.instr t, operand.ready t)))"» 

TAC2 

>. • 

/ • » 


c lose, the oryO ; ; 
quitO;; 


File: apu.lenna.nl 
Author: Jing Pan 
Date: Harch 1991 

Purpose: Leanas for N apu.top.ol H . 
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load* 4 /csgrad/panj/boldir/init.nl 4 ; ; 
load! 4 abstract. «1 4 ; ; 
load! 'tactics 4 ;; 

systan 4 /bin/rm -f apu.laaaa.tb 4 ; ; 
sot.flaf ('sticky 4 . trua);; 
nav.tbaory 4 apu.lsaaa 4 ; ; 
loadf 'aux.dafs.nl 4 ; ; 

aap naw.parsnt [ 4 aux 4 ; 4 intsrfacs 4 ; 'fptypa 4 ; 4 apu.top 4 ];; 

autoload.dafa.aad.thaa 4 fpt jpa 4 ; ; 
autoload.dafa.aad.tbaa 4 apu.top 4 ; ; 


lot rap.ty ■ abstract.typa 'intarfaca 4 4 fatcb 4 ;; 


aap loadf ['digit 4 ; Macinal 4 ];; 


x 


apu.top.laaaa 


— X 


lot apu.top.laaaa ■ prova.tha 
( 'apu.top.laaaa 4 . 

*! rap; "rap.ty (a : nua) . 

((VaxtStata.apu n rap 2 - (C.PiOD a rap)) A 

(VaxtStata.apu a rap 3 - (C.PSUB a rap)) /\ 

(VaxtStata.apu a rap 4 • (C.FKUL a rap)) A 

(VaxtStata.apu a rap S - (C.FDIV a rap)))". 

VEPEAT OEV.TAC 

tHEV 0 V CE.REMITE.TAC [VaxtStata.apu] 

THE* DEC.EQ.TAC 

/it 


lot TAC1 - 
VEPEAT STVIP.TAC 

THEV REMITE.ASH.THH.TAC apu.top.cpu 3 
THEV ASSUK.UST (\tba. ASSUHE.TAC 
(SPEC *t" (al 1 tbs))) 

THEV VH2LAST.TAC 

X VES.TAC — raaolutioa only bandlaa implication, aot conditions X 
THEV SEMITE. ASM 2 1 
THEV SEMITE. ASH 3 1 

THEV VEMITE.ASH.THM.TAC apu. top. lama 1 
THEV ASH. VEMITE.TAC □ ; ; 


X 
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One liau for each individual state 


1st apa.FAPD.lsua • prove.tha 
('apu.FADD.leua', 

*t (rap : “rep.ty) (f.ac : nu*->fp) (f.rsg : nua->nu»->fp) 

(cw sv : nua->bool#boolfboolibool) 

(dons : nua->bool) (start : nua->bool) (dscods.rsg : nu*->nun) 
(n:nm) . 

apu.top.cpn n rsp (f.ac, f.rsg, cv, sv, dons) 

(start, decods.reg) »> 

! t . 

(start t) A 

(Opc & (dscods.rsg t) * 2) ™> 

T t 9 . (t<-t*) A 
(First (t, t*> (dons)) A 

((f.ac t*, f.rsg t • , cw t*, sv t*, dons t 1 ) » 

C.FADD n rsp (f.ac t, f.rsg t, cv t, sv t, dons t) 

(start t, dscods.rsg t))“, 

TAC1 


1st apu.FSUB.lsua * prove _ths 
( * apu.FSP8.lsua ( , 

•! (rsp : "rep.ty) (f.ac : nun->fp) (f.rsg : nua->nun->fp) 

(cv sv : nus->bool9boolfboolfbool) 

(dons : nun- > bool) (start : nus->bool) (dscods.rsg : nus->nus) 
(n:nu) . 

apu.top.cpu n rsp (f.ac, f.rsg, cv, sv, dons) 

(start, dscods.rsg) *■> 

* t . 

(start t) A 

(Opc n (dscods.rsg t) ■ 3) ■*> 

T t*. (t<*t*) A 
(First (t, t*) (dons)) A 

((f.ac t 1 , f.rsg t*, cw t>, sv t*, dons t') - 
C.PSUB n rsp (f.ac t, f.rsg t, cv t, sv t, dons t) 

(start t, dscods.rsg t)) M » 

TAC1 


1st apu.FHUL.leua ■ prove. tbs 
('apu.FHUL.lesu 1 , 

•! (rsp : “rsp.ty) (f.ac : nua->fp) (f.rsg : nus->nu»->fp) 

(cv sv : nua->boolfboolfboolfbool) 

(dons : nua->bool) (start : nua->bool) (dscods.rsg : nua->nua) 
(n:nu) . 

apu.top.cpu n rsp (f.ac, f.rsg, cv, sv, dons) 

(start, decode .reg) ■•> 

! t . 

(start t) A 

(Opc n (dscods.rsg t) ■ 4) ■*> 

T t 9 . (t<«t») A 
(First (t, t') (dons)) A 

( (f.ac t * , f.rsg t 9 , cv t * , sv t 9 , dons t * ) ■ 
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TAC1 


C.FKUL n rsp (f.ae t, l.r»| t, cv t, n t t dona t) 
(start t, d«cod«.rog t))", 


# • • 


1st apu.FDIV.lonma ■ proTi.thn 
('apu.FDIV.lovna* . 

"! (rop : "rop.ty) (f.ae : non->fp) (f.rsg : nu*->aun->fp) 

(cv sv : nuB->boolfboolfboolfbool) 

(dons : mm->bool) (start : nu*->bool) (dscods.rsg : &um->dum) 
(n:nna) . 

agm.top.cpa & rop (f.ac t f.rog, cv, sv, dons) 

(start, dscods.rsg) «■> 

! t . 

(start t) A 

(Opc n (dscods.rsg t) * S) ■■> 

? t*. (t<«t*) A 
(First (t, t*) (dons)) A 

((f.ac t*, f.rsg t*. cv t\ sv t’, dons t’) ■ 

C.FDIV n rsp (f.ac t, f.rsg t, cv t, sv t, dons t) 

(start t, dscods.rsg t))", 

TAC1 


lot TAC2 » 

REPEAT STRIP.TAC 

THE! REVRITE.ASM.THH.TAC apu.top.cpu 2 
THE! ASSUH.LIST (\ths. ASSUME.TAC 
(SPEC "t" (si 1 ths) ) ) 

TEES RH2LAST.TAC 
THE* REVRITE.ASM 2 1 

THEM REVRITE.ASM.THH.TAC apu.top.lsma 1 
THE! ASM.REVRITE.TAC □ ; ; 


lot apu.idls.lsaaa ■ provs.tha 
('apu.idlo.lsiBa* , 

* ! (rop : "rop.ty) (f.ac : nua->fp) (f.rsg : m»->nu*->fp) 

(cv sv : nun~>boolfboolfboolfbool) 

(dons : m»->bool) (start : nun->bool) (dscods.rsg : nun->nua) 
(n:nua) • 

apu.top.cpu n rop (f.ac, f.rsg, cv, sv, dons) 

(start, dscods.rsg) “> 

! t . ("start t) —> 

((f.ac(t+l), f.rsg(t+l), cv(t+l), sv(t+l), 
dono(t+l)) ■ 

apu.idls n rop (f.ac t, f.rsg t, cv t, sv t, dons t) 
(start t, dscods.rsg t)) M , 

TAC2 
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closo.thooryO ; ; 
qoitO;; 


film: induc.nl 
Author: Jin| Pun 
Dot#: Kirch 1991 

Puxposo: Induction on unit tin#, for usod for 

ozistontiul quotif iod stoto tr unit ion. 


loodf '/csgrod/ponj/holdir/init .ml* ; ; 

loodf ' obstruct. nl' ; ; 

loodf 'tnctics.nl' ; ; 

syston */bin/rn -f indue . th * ; ; 

sot.flug ('sticky', truo);; 

nov.thoory 'indue';; 

loodf 'uuz.dofs.nl';; 

nop nos.puront ['uuz*; 'intorfoco'; 'cpu.sorrico* ; 'sorvico.L 
4 upu.t op ' ; 1 opu.lonmo ' ] ; ; 

uutoloud.dofs.snd.thns ' uuz ' ; ; 
uutoloud.dofs.snd.thns 'cpu.sorrico' ; ; 
uutoloud.dofs.snd.thns ' s or? ico.l onus' ; ; 
out oloud.dofs.ond. thus 'opu.lonno' ; ; 
uutoloud.dofs.snd.thns ‘upu.t op* ; ; 

lot rop.ty * obstroct.typo 'intorfoco' 'fotch 4 ;; 


lot loano.suc • prozo.thn 
('loans. sue' f 

*(!t*. t <■ t* A t' < (SUC (t ♦ n # )> -»> 'rosp.roudy t») 

(!t t <» t* A t # < (t ♦ n*) **> 'rosp.roudy t')", 

miP.TAC 
THE! 6EV.TAC 

THU AS SUM. LI ST (\ths . ASSUKE.TAC 
(SPEC *t*:nun"(ol 1 ths))) 

THU STKIP.TAC 
THU BEVRITB.ASM1 2 3 

ILES5.S0C: n<n — > n<SUC nX 
THU ASSUH.LIST (\ths. ASSUKE.TAC 

(SPECL ["t':nun M ; *t+n’"] LESS.SUC)) 
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Xi » -v < (t ♦ b’ ) — > t» < (suc(t ♦ b*))" 

3 » •»• < (t ♦ B')" X 
THE* REWRITE.ASH1 * 1 

X 1 - "*• < (80C(t ♦ a'))" 

3 - "t> < (SUC(t ♦ a')) — > "rssp.rsady t»* X 
THE* REWRITI.ASH 1 3 
THE* ASM.REWRITE.TAC □); ; 


1st ltmt.iscS ■ proTt.tba 
Clsaaa_suc3* , 

“(It*, t <- t» A t* < (SUC (t ♦ a*)) — > 'start t») 

(!t*. t <» t» A t* < (t ♦ a') — > 'start t»)". 

STUP.TAC 
THE* CEH.TAC 

THE! ASSUH.LIST (\ths. ASSUHE.TAC 
(SPEC ”t':auB"(sl 1 ths))) 

THE* STUP.TAC 
THE* REWUTE.ASH1 3 3 

Xt.E3S.SOC: b<b — > »<SUC nX 
THE* AS SUM. LI ST (\ths. ASSUHE.TAC 

(SPECL ft':ntm": "t+n'"] LESS.SUC)) 

XI - "t* < (t ♦ a*) — > t* < (SUC(t ♦ n'))" 

J • *V < (» ♦ b') m X 
THE* REWUTE.ASH1 3 1 

X 1 • "t* < (SUC(t ♦ b*)) m 

3 - -t* < <SUC(t + a*)) — > 'start t'“ X 
THE* REVHITB.ASH 1 3 
THE* ASM. REWRITE. TAC □ ) ; ; 


1st Isaaa.sucS ■ provs.tha 
('Issm.sbcS*, 

-(•t*. t <- t* A t* < (SUC (t + a')) — > (*(rsad t*) A '(arits t»))) 

(!t*. t <- t* A t* < (t ♦ a*) — > ('(rsad f) A '(writs t*))) 

STUP.TAC 
THE* GEI.TAC 

THE* ASSUH.L3ST (\ths. ASSUHE.TAC 
(SPEC *t’ :nua”(sl 1 ths))) 

THE* STUP.TAC 
THE* REWRITE. ASH 1 3 3 

XLESS.SUC: b<b “> b<SUC aX 
THE* ASSUH.UST (\ths. ASSUHE.TAC 

(SPECL [“t’:mm"; “t+n*"] LESS.SUC)) 

Xl ■ **' < (t ♦ B*) — > f < (SUC(t ♦ B»))“ 

*■•»»<(%♦ B*)** X 
THE* REWRITE. ASH 1 3 1 

X 1 » n» < (SOC(t ♦ a*))" 

3 - t* < (SUC(t ♦ b»)) — > "start t** X 
THE* REWRITE. ASH 1 3 
THE* ASH.REWUTE.TACa) ; ; 



lot TAC. indue ■ 

REPEAT STRIP.TAC 

THEE REHRITE.TAC [St «bl *Unt il ; Stable] 

THEE IMP.RES.TAC cpu.wait.f or_r*»pon**_l#«»a 
THEE RH2UST.TAC 

X induct ion on th* lingtb of nit poriod — "n"X 
THEE XHDUCT.TAC 
THEEL [ 

Xbsse cut X 

REHRITE.TAC [ADD. CLAUSES] Xt-M>-tX 
XEDT.LESS: ( > a. ”a<a ■><■■; 

EQ_STM.>q: « * y. (x-y) - (y-x) X 
THEE ASSUM.LIST (\ths. ASSUHE.TAC 

(OECE.REVRm.RULE CEQ.SYH.BQ] (EOT.LESS))) 

THEE ASN.REHRITE.TAC 0 « 

X induction stop X 

REHRITE.TAC [ADD. CLAUSES] Xa+(SUC a)-SUC (a*a)X 

THEE STRIP.TAC 

THEE IMP.RES.TAC loaas.suc 

THEE REVRITE.ASM 1 3 X no* «* hay* cpu_»toto(t+n')-l X 
THEE IMP.RES.TAC cpu.vsit.for.rosponse.lenaa 
TREE RM2LAST.TAC 

THEE ASSUH.LIST (\ths. ASSUME.TAC 
(SPEC “t+n ,M (#1 3 ths))) 

XLESS.EQ.ADO: a<-(a+n)X 
THEE REVRITE.ASH.THM.TAC LESS. EQ. ADD 1 
XLESS.EQ_SUC.REPL: a < (SUC a)X 
THEE REHRITE_ASM.THM.TAC LESS.SUC.REPL 1 
Xao* n haw M *resp_resdy(t ♦ a’)"X 
THEE REVRITE.ASM1 1 4 
THEE ASSUH.LIST (\ths. 

(TAC1 (#1 1 ths))) Xno* ** got M cpu_ststo((t ♦ a') ♦ 1) ■ 1 H X 
THEE REHRITE.TAC [AUDI] XADD1: *+l - SUC aX 
THEE ASM.REHRITE.TACQ 

J $ » 


vait_cpu 

lot vtit.cfu ■ provi.tha 
( 4 aait_cpu\ 

• ! (rap: *rap_ty) (e.ac : nua->nua) (c.rag :nua->nua->nua) 
(aas:Bua->*aeaox 7 ) (ir : nu*->nuB) (data out :num->*vordn) 

(addrasa :nua->aua) (raad writ a :nua->bool) (cpu_atata:xm»->nun) 
(raap.raady :nua->bool) (dataia :aua->*vorda) (a:nua) . 
cpu.saraica a rap (c.ae, c.rag, aw, ir, dataout, 

addrasa, raad, writ#, cpu.stata) (ratp.raadj, dataia) 

! (t:ana). (cpu.stata t ■ i) ■*> 

StablaUntil (cpu.stata, 1, t, raap.raad y) M , 

TIC. indue 

\ • • 
i 9 • 
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let TAC_iaduc2 stableuntilx ■ 

UNIT STUP.TAC 

THU REVRITE.TAC [stableuntilx ; Stable] 

THU XHP_RES_TAC cpu.sait.for.response.lenaa 
THU RH2LAST.TAC 

X induct ion on tha length of wait period — "a**! 

THEIL MJP.TAC (IHDUCT.TAC 
THEHL [ 

Xbase ease X 

REVUTE.TAC [ADD.CLAUSES] Xt+O-tX 
XHOT.LESS: fan. 'a<a ■ a <■ a; 

BQ.STHEQ: I x j. (x~y) • (y-x) X 
THU ASSUN.UST (\th*. ASSUNE.TAC 

(OICE.REVRITE.RULE CEQ.STH.EQ] (I0T.LKSS))) 

THU ASH.REVRITE.TACD; 

X induction atop X 

REVRITE.TAC [ADD.CLAUSES] Xa-KSUC n)»SUC (a+a)X 

THU STUP.TAC 

THU XHP.RBS.TAC loaaa.aac 

THU REVUTE.ASH1 1 3 X now n bate -aea(tea') - aoa t" X 
THU nP.HES.TAC aait.cpu 
THU RM2UST.TAC 

THU ASSOH.LIST (\tha. ASSUNE.TAC 

(REWRITE.RULE [StabloUntil; Stable] (el 1 tbs))) 
THU RM2LAST.TAC 

THU ASSUH.UST (\tbs. ASSUNE.TAC 
(SPEC “a*" (el 1 tbs))) 

THU RH2LAST.TAC 

THU REVRITE.ASN 3 1 X aos se get cpu_state(t+a') ■ 1 X 

Xto get (t ♦ a') < (SUC(t + a’)) “> 'resp_ready(t ♦ a’)X 
THU ASSUN.LIST (\tbs. ASSUNE.TAC 
(SPEC “t+a'" (el 4 tbs))) 

X1ESS.BQ.ADO: a<-(a+n)X 
THU REHUTE.ASH.THN.TAC LBSS.EQ.ADD 1 
XLESS_EQ.SUC.REPL : a < (SUC a)X 
THU REHUTE.ASH.THN.TAC LESS.SUC.REPL 1 
Xaos se base "'resp.reedy (t ♦ a , )”X 

THU XHP.RES.TAC cpu.sait.for.response.laaaa 
THU RN2LAST.TAC 

THU REVUTE.ASH_THH.TAC cpu.weit.f or .response 1 
THU RN2LAST.TAC 
THU REHRITE.AU 2 1 
THU AS SUN. LI ST (\tbs. 

(TAC1 (el 1 tbs))) 

Xaos se got •S_ae((t ♦ a*) * 1) » 1"X 
THU REVUTE.TAC [ADD 1] XADD1: a +1 - SUC aX 
THU AU.REVRITE.TAC □ 

]):; 


sait_cpu2 


X 
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lot woit.cpu2 ■ provo.tbn 
('nit.cpoJ' , 

* ! (rop: "rop.ty) (c.oc :nua->mm) (c.rog:nun->nuB->nuB) 
(■•■:nna->*»OBQry) (ir :nun->nua) (dotoout :nu*->*wordn) 

(tddrtii :nua->nuB) (rood writ# :nuB->bool) (cpu.ototo :miB->nuB) 
(rosp.roody : nun- >bool) (dot a in :nun->*wordn) (n:nun) . 
cpu.serrieo & rop (c.oc, c.reg, bob, ir, dotoout, 

oddroos, rood, write, cpu.ototo) (rosp.roody, dotoin) 


* I (t:nua). (cpu.stote t ■ 1) *»> 

StobleUntil2 (bob, t, rosp.roody) A 
8tobloUntil2 (ir, t, rosp.roody)**, 
TIC. indue 2 8tobloOntil2 

);; 


woit.cpuS 

lot woit.cpuS * provo.thn 
( ‘woit.cpuS* , 

* ! (rop: "rop.ty) (c.oc: nun- >nun) (c.reg : min->nuB->nuB) 

(Boa:nuB->*BOBory) (ir :nun->nus) (dotoout :nuB->*vordn) 

(oddrooo :nuB->nun) (rood write :nuB->bool) (cpu.ototo :nun->nun) 
(rosp.roody : nun- > bool) (dotoin :nun->*wordn) (n:nua) . 
cpu.serrieo n rop (c.oc, c.rog, bob, ir, dotoout, 

oddroos, rood, writs, cpu.ototo) (rosp.roody, dotoin) 

! (t:nua). (cpu.ototo t • 1) •*> 

StobloUnt ill (rood, P, t, rosp.roody) A 
StobloUnt il3 (writs, P, t, rosp.roody) 0 , 

REPEAT STRXP.TAC 

THE1 REVRITE.TAC [St obleUnt il3 ; Stoblo] 

THE! IMP.RES.TAC cpu.woit.f or.ro opens o.Iobbo 
THE1 RH2LAST.TAC 

X induct ion on tbo longth of woit period — °n**X 
THE1L DUP.TAC (IIWJCT.TAC 
THE8L t 
Xboso coso X 

REWRITE. TAC [ADD. CLAUSES] Xt+O-tX 
XIOT.LESS: ! b n. "B<n - n <- n; 

EQ.SYH.EQ: ! z y. (z»y) » (y-z) X 
THE! ASSUH.LIST (\ths. ASSUHE.TAC 

(OECE.REVRITE.RULE [EQ.STH.BQ] (IOT.LESS))) 

THE! ASH.REVRI1S.TACD 
THEM STAIP.TAC 

THE! AS SUM. LI ST (\ths. ASSUHE.TAC 
(SPEC -t:nuB° (ol 1 tbs))) 

THE! ASSUH.LIST (\ths. ASSUHE.TAC XLESS.REPL: "n<nX 

(REVRITE.RULE [LESS.REPIJ (ol 1 tbs))) 

THER AS SUM. LI ST (\tbs. ASSUHE.TAC 

(REVRITE.RULE [STH.RULt ADD1] (ol 1 tbs))) 

THEE AS SUH. LI ST (\tbs. ASSUHE.TAC 

(REVRITE.RULECLBSS.SUC.REPU (ol 1 tbs))) 

XLESS.SUC.REPL : n<SUC nX 
Xnow wo got "rosp.roody tX 
THEE REVRITE.ASH 1 7 
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THEI ASSUH.LIST (\ths. 

TAC1 (ol X ths)) Xnow wo got 'rosd(t+l)X 
THEI ASH.REVRITE.TACD ; 

X induction stop X 

REWRITE.! AC [ADD. CLAUSES] Xa+(SUC n)«SUC (n+n)X 

THEI STRIP.TAC 

THEI IHP.RES.TAC loans. sue 

THEI REWRITE. ASH 1 1 3 X nos wo hawo "*rosd(t+(n’+l)) M X 

THEI IHP.RES.TAC wait.cpu 
THEI RH2LAST.TAC 

THEI ASSIK.L2ST (\ths. ASSUHE.TAC 

(REVRITE.RUU [StabloUntil; Stsblo] (ol 1 ths))) 
THEI RH2LAST.TAC 

THEI ASSUH.LIST (\ths. ASSUHE.TAC 
(SPEC "(n*+l)« (ol 1 ths))) 

THEI RH2LAST.TAC 

THEI REVRITE.ASH 3 1 X now wo got cpu.ototoft+Cn'+l)) ■ 

Xto got (t ♦ a 1 ) < (SUC(t ♦ n*)) ■»> ~rosp.roady(t ♦ n*)X 
THEI ASSUH.LIST (\ths. ASSUHE.TAC 

(SPEC "t+(n'+l) w (ol 4 ths))) 

XUSS.BQ.ADD: a<«(n+n)X 
THEI REVRITE.ASH.THH.TAC LESS.EQ.ADD 1 
XUSS.EQ_SUC.REFL : n < (SUC n)X 
THEI REVRITE.ASH.THH.TAC LESS.SUC.REFL 1 
Xnow wo hawo • , ~rosp_roady(t ♦ (n'+i))"X 

THEI IHP.RES.TAC cpu.wait.f or.ro sponso.l onus 
THEI RH2LA5T.TAC 

THEI REVRITE.ASH.THH.TAC cpu.wait.f or.ro sponso 1 
THEI RH2LAST.TAC 
THEI REVRITE.ASH 2 1 
THE! ASSUH.LIST (\ths. 

(TAC1 (ol 1 ths))) 

Xnow wo got "*road((t ♦ (n’+D) ♦ i)"X 
THEI REVRITE.TAC [ADD1] XADD 1 : n+1 « SUC nX 
THEI ASH.REVRITE.TAC □ 

]));; 


lot TAC2.induc ■ 

REPEAT STRIP.TAC 

THEI REVRITE.TAC [St obloUnt i!2 ; Stsblo] 

THEI IHP.RES.TAC apu.idlo.louna 
THEI RH2LAST.TAC 

X induct ion on tho longth of wsit poriod — ”n M X 
THEIL DUP.TAC (IIDUCT.TAC 

THEIL [ 

Xbsso csso X 

REVRITE.TAC [ADD.CLAUSES] Xt+O-tX 
THEI ASH.REVRITE.TAC □ ; 


X induction stop X 



REVRITE.TAC [ADD.CUUSES] X»+(SUC n)-5UC (*+n)X 


THU STRIP.TAC X nanipulato tko induction assuaption X 
THE1 IKP.RES.TAC loaaa.suc2 

THEI REVRITE.ASH 1 3 X now wo hawo f _ac (t+nO-f.ac t X 

Xto got (t ♦ n») < (SUC(t + *»)) —> 'start (t ♦ n»)X 
THEI ASSUK.LIST (\tho . 

(ASSUXE.TAC (SPEC *t4n»" (ol 2 tks)))) 

THEI REWRITE. ASH.THH.TAC LESS. EQ. ADD 1 Xn<-(»+n)X 

THEI REWRITE. ASM.THH.TAC LBSS.SUC.REFL 1 Xn < (SUC *)X 

Xnow wo kawo M *wtort(t ♦ nO^X 
THEI IHP.RES.TAC apu.idlo.lo**a 
THEI RH2LAST.TAC 

THEI REWRITE.ASH.THH.TAC apu.idlo 1 
THEI ASSUH.LIST (\tk». 

(TAC1 (ol 1 tks))) 


Xnow wo got "f.ac((t ♦ a») ♦ l) » 1**X 
THEI REWRITE.TAC [ADDl] XADDl : *41 ■ SUC *X 
THU ASM.REWRITE.TAC □ 

3 );; 


X 

woit.cpu 

x 

lot woit.opu • proTo.tk* 

('wait.apu' , 

•! (rop : “rop.ty) (f.ac : nu*->fp) (f.rog : nu*->nu*->fp) 

(cw sw : nu*->bool#boolfbool#bool) 

(dono : nu*->bool) (start : nun->bool) (docodo.rog : nu*->nua) 
(n:nu*) . 

apu.top.cpu n rop (f.ac, f.rog, cw, sw, dono) 

(start, docodo.rog) 

! (t:nu*). “’(start t) ■»> 

StabloUntil2 (f.ac, t, start) /\ 

StabloUntil2 (f.rog, t, start)’ 1 . 

TAC2. indue 

);; 


wait.cpu2 


X 


lot wait.apu2 ■ provo.th* 

Cwait.apu2* , 

•! (rop : ~rop.ty) (f.ac : nu*->fp) (f.rog : nu*->nu*->fp) 

(cw sw : nua->bool#bool#bool#bool) 

(dono : nu*->bool) (start : nua->bool) (docodo.rog : nu*->nu*) 
(n:nu*) . 

apu.top.cpu n rop (f.ac, f.rog, cw, sw, dono) 
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(start, dacoda.rag) 

! (t :nun) . •(•tart t) —> 

StablaUntil2 (cn, t. start) /\ 
StablaUhtil2 (iv, t , start) 1 * t 

TAC2. indue 


closa.thaoryO; ; 

*dt() ;; 


X 

arith.ml 

Thaorans con earning nunbar Manipulation, us ad in 
conjunction with tha tharaoma in tha fila "induc.nl**. 
x 


loadf ‘/csgrad/panj/holdir/init .nl* ; ; 
loadf ‘tactics .nl ( ; ; 

•ystan */bin/r» -f a.th*;; 

•ut.flag (‘sticky*, trua);; 

nav.thaory *a';; 

loadf ‘aux.dafs.nl* ; ; 

nap naw.parant [*aux‘; ‘indue*; *nun.thns*] ; ; 
autoload.dafs.and.tbns ' indue ‘ ; ; 

loadf ‘nornalisa*; ; 
loadf ‘nun.thns* ; ; 


I 


nun.lannal 


lot nun.lannal » prova.tha 
( 'nun.lasnal * # 

•! t t * :nun . ((((t+l)+i)<»t *) ■»> ((t+l)+ ((t*- t) - l)-t’)) 

REPEAT 8TRIP.TAC 

THE! IORKALIZE.TAC 

THEI AS SUM. LI ST (\ths. ASSUKE.TAC 

(SPECL ["t‘-t"; "1"; "1"] SUB. ADD. SUB) ) 


Xnov wa naad to got l<»(t'-t) fron ((t+l)+l) <» t* % 
% first to gat SUC SUC t < %>1 
THEI REVRITE.ASM.THM.TAC (STM. RULE ADD1) 2 



S to got sue sue t<t> \/ sue sue t-V x 

THE! REWRITE. ASH. THH.TAC LESS.OR.BQ 1 
THEI RH2LAST.TAC 
X to got SUC t < t’X 

THE! REWRITE. ASH.THH.TAC (SYH.RULE LESS.EQ. SUC. LESS) 1 

THE! RH2LAST.TAC 

Xto got t<t’X 

THE! IHP.RES.TAC SUC.LISS 

X to got 0 < (t'-t)X 

TEES MP.RES.TAC (SYH.RULE SUB.LESS.O) 

TEES POP.TOP.ASSUNP.TAC 
X to got SUC 0 <■ (t’-t)X 
THEI REWRITE_ASK.THN.TAC (LESS.EQ) 1 
X to got SUC OX 

THEI IEWRITE_ASN_THK_TAC ADD1 1 
THEI IEWRITE_ASH_THK_TAC ADD 1 

X elooa up, to got rid of unnocossar; assumptions X 
THEI RK2LAST.TAC 
THEI RN2LAST.TAC 
THEI RN2LAST.TAC 

X to switch -1 and +1 X 
THEI REWRITE.ASHi 1 4 
THEI ASH.REWRITE.TACD 
THEI REWRITE.TAC [ADD.SUB] 

X boo oo haoo got: (t *-t)+t ■ t’ as tho goal X 
THE! ASSUH.LIST (\ths. ASSUKE.TAC 

(SPECL C"t * " ; "t"; "t M ] SUB.ADD.SUB)) 

X to got t<*t’ X 

THEI REWRITE.ASH.THM.TAC LESS.OR.EQ 1 
THEI REWRITE.ASN SI X 6- t<t* X 
THEI ASH.REWRITB.TAC □ 

THEI REWRITE.TAC [ADD.SUB] ) ; ; 


nua_loBBa2b 


--X 


lot BUB_loBBa2b » provo _tha 
( 'nua.l oaoa2b ‘ , 

-! t t’ :nua . ((((tol)olX-t') — > 

(C(tol)ol) ♦ <((f- t) - t)-l) 


REPEAT STRIP.TAC 

THEI lORKALIZI.TAC 

THEI ASSUH.LIST (\ths. ASSUKE.TAC 

(SPECL ["(t’-t)-l"; "1“; "1"] SUB.ADD.SUB)) 


t’»". 


Xnoo oo nood to got l<-(t'-t)-l from ((tol)ol) <■ t’ X 
X first to got SUC SUC t < t’X 
THEI IEWR1TE.ASH_THH.TAC (SYH.RULE ADD1) 2 
X to got SUC SUC t<t' \/ SUC SUC t-t* X 
THEI REWRITE. ASH.THH.TAC LESS.OR.EQ 1 
THEI RK2LAST.TAC 
X to got SUC t < t'X 

THEI REWRITE_ASH.THH.TAC (SYH.RULE LESS.EQ.SUC.LESS) 1 
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no RK2LAST.TAC 
X to got t+1 < t* X 
no REVRin.A8N.nK.nc addi i 
X to got 0 < (t*-(t+l))X 
no DIP.RES.TAC (STN.RULE SUB .LESS .0) 
no P0P_T0P.ASSW.TAC 
X to got 0 < (t'-t)-l X 

no REVRin.ASN_nN.TAC (STN.RULE SUB. ADD. ASSOC) 1 

no RN3UST.TAC 

X to got SUC 0 <- (t*-t)-lX 

no REVRin.ASN_THN.TAC (LESS.EQ) 1 

X to got SUC 0 - ©+ 1 X 

Tin REVRin.ASN_THN.TAC ADD1 1 

X to got 0+1 • IX 

HO REVRin_ASN.1HN.TAC ADD 1 


X Cloon 19, to got rid of unnocaasary asauaptiona X 

THO RH3LAST.TAC 
THO RN2LAST.TAC 

X to ooiteh -1 and +1 X 
THO REVRITE.ASN1 1 S 
THO ASN.REVRin.TACD 
no REVRin.TAC [ADD. SUB] 

X aoo *o boro got: (((t'-t)-l)+l)+t ■ t* os tho goal X 

THO P0P_T0P.ASSUNP.TAC 

THO P0P.T0P_ASSUHP.TAC 

TIBI P0P.TOP_ASSUKP.TAC 

THO P0P.T0P_ASSUHP.TAC 

Xto got t<t'X 

THO DIP.RES.TAC SUC.LESS 

X to got 0 < (t*-t)X 

THO DIP.RES.TAC (STN.RULE SUB.LESS.0) 

THO P0P_T0P.ASSUHP.TAC 

X to got SUC 0 <- (t»-t)X 

THO REVRin.ASH_THN.TAC (LESS.EQ) 1 

X to got SUC 0 • 0+lX 

THO REVRin.ASN.THH.TAC ADD1 1 

X to got 0+1 ■ IX 

THO REVRin_ASH.THN.TAC ADD 1 

X to got "1 <■ (t* - t) -•> (((t* - t) - J) ♦ 1 • ({t* - t) ♦ I) - 1)« X 
THO AS SUN. LI ST (\tha. ASSUNE.TAC 

(SPECL C"t*-t"; "1"; «1"3 SUB. ADD. SUB) ) 

X to got -((t* - t) - 1) ♦ 1 b (( t » - t) ♦ 1) - 1-X 
THO REVRin.ASN 2 1 
no ASN.REVRin.TACD 
THO REVRin.TAC [ADD.SUB] 

X to got t<*t* X 

THO P0P_T0P.ASSUHP.TAC 
THO P0P.T0P.ASSW.TAC 
no P0P.T0P.ASSW.TAC 
no P0P.T0P_ASSW.TAC 
THO POP.TOP.ASSW.TAC 

X(t* - t) ♦ t - t'X 
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THE* ASSUM.LIST (\th». ASSUME.TAC 

(SPBCL ft'"; "t"; "f] SUB _ ADD. SUB ) ) 
THEM XEVRITE.ASR_THN.TAC LESS.OR.EQ 1 
THE* REWRITE. ASR 31 X 3 • t<t* X 

THE* ASM.REVRITE.TAC □ 

THE* REVRITE.TAC [ADD.SUB] ) ; ; 




ma.l«au2 


DM in conjunction with (1) "vtit.cpa" to got 
"cpu.stnto t* ■ 1"; (2) "»»it_cpu2" to got 
“mam t' ■ non (t+W)" ond "ir t* • ir (t+l+l)"i 
( 3 ) “ooit.apu" to got "f _oe t • . . " ond "l.rog t ’ . . " 

lot na,luai2 - proT«_tha 

('nun_l«*2‘. 

•! t t’:an . (((((t-H)*l)+l)<-t') ■■> 

(((t+l)+l) ♦ (((t'- t> - 1)-1) - t*))". 

REPEAT STRIP.TAC 

THE* ASSUM.LIST (\tho. ASSUME.TAC 

(SPECL C"((tol)+l)«; -t'"] (STN.RULE LESS.EQ))) 
XLESS.EQ “ a<n ■ (SUC n <■ n)X 
THE I REVRITE.ASR_THR.TAC ADD1 1 
THE* REHRITE.ASH1 3 1 
THE* ASSUR.LIST (\th*. ASSUME.TAC 

(SPECL ft"; "t’ H ] num.lonnrfb) ) 

THE* XEHRITE_ASR.THM.TAC LESS.OR.EQ 1 
THE* XR2LAST.TAC 
THE* REHRITE.ASR 2 1 
THE* ASH.REVRITB.TAC □ 

);; 


nun.loanoSb 


lot ma_loua3b » provo.thn 
(‘rauloMlb'. 

■! t t':naa . ((((((t+lHl)+l)+l)<-t •) -»> 

(((((tol)+l)+l)ol) ♦ (((((t*-t)-l)-l)-l)-l) - t*)>" 

REPEAT STRIP.TAC 

THE* ASSUME.TAC nun.lonaalb 

THE* ASSUN.LIST (\th». ASSUME.TAC 

(SPECL C"(t-»1)+1"; "t ’ :nua"] (ol 1 ths))) 

THE* ASSUN.LIST (\th». ASSUME.TAC 

(SPBCL “(t+1)"; "1"] (STN.RULE SUB.ADD.ASSOC))) 

THE* REWRITE. ASR1 1 2 

X no. got «((((t ♦ 1) ♦ 1) ♦ 1) ♦ 1) <- t* — > 

(((((t ♦ 1) ♦ 1) ♦ 1) ♦ 1) ♦ ((((t* -(t+ 1)) - 1) - 1) - 1) • 

THE! ASSUM.LIST (\ths. ASSUME.TAC 

(SPECL C-t'“; "t"; "1"] (STM. RULE SUB.ADD.ASSOC))) 

THE* REVRITE.ASH1 1 2 

X nou got “((((t ♦ 1) ♦ 1) ♦ 1) ♦ 1) <» t* «■> 

(((((t ♦ 1) ♦ 1) ♦ 1) ♦ 1) ♦ (((((t* - t) - 1) - 1) - 1) - 1) • 


t»)X 


t*)"X 
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ran REWRITE. ASH 1 7 1 
ran ASH.REVRITE.TAC □ 


X- 


nua.lonoS 

Osod ia conjunction with (1) "woit.cpu" to got 
■ f.rog (t *♦1+1+101)". 

X 

lot nm.l«u3 ■ provo.tha 
Cna.lim) 1 , 

“I t t’ :nua . (((((((t+l)+l)+l)+l)+l)<-t') — > 

(((((t+l)+l)+i)+l) ♦ (((((t*-t)-l)-l)-l)-l) - 


REPEAT 8TRZP.TAC 

ran ASSUN.LIST (\th». ASSUNE.TAC 

(SPECL C"((((t+1)+1)+1)+1)"; "t'"J (STH.RULE LESS.EQ))) 
XLESS.EQ - «<n - (SUC ■ <- n)X 
ran REVRITE_ASH_raH_TAC A 0 D 1 1 
ran REVRITE.ASH 1 3 1 
ran ASSUN.LIST (\tha. ASSUNE.TAC 

(SPECL [*t"; "t*"] nua.loaaoSb) ) 
ran REVRlTE.ASN.raN.TAC LESS.OR.EQ 1 
ran RM2LAST.TAC 
THU REWRITE. ASH 2 1 
TBn ASM.REVRITE.TACa 
);; 


t*» 


x 

nua_lovm*4 

lot bob_1obm 4 " provo.thn 
Cna.luMl', 

"! t t’:nua . «(((t+l)+l)+l)<»t') — > 

(((t+l)+l) ♦ (((((t»- t) - 1)-1)-1)+1) ■ t'))", 

REPEAT STR1P.TAC 

THU ASSUN.LIST (\tha . ASSUNE.TAC 

(SPECL ["((t'-t)-l)-l"; "1"; "1“] SUB. ADD. SUB) ) 

Xnoo «o aood to got l<»((t*-t)-l)-l frov (((t+l)+l)+l) <» t* X 
X firot to got SUC SUC SUC t < t*X 
ran REWRITE. ASM. THN.TAC (STH.RULE AUDI) 2 
X to got SUC SUC SUC t<t> \/ SUC SUC SUC t-t* X 
ran REVRin_ASN.raM.TAC LESS.OR.Eq 1 
ran RM2LAST.TAC 
X to got SUC SUC t < t *x 

ran REVRXTE_ASM.raM.TAC (STH.RULE LESS.EQ.SUC.LESS) 1 

Tin RM2LAST.TAC 

X to got 0 < (t'-SUC SUC t)X 

ran INP.RES.TAC (STH.RULE SUB. LESS .0) 

X to got SOC 0 <• (t'-SUC SUC t)X 
THU REVRITE.ASM_raM.TAC (LESS.EQ) 1 
X to got SUC 0 » IX 
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THE! REVRITE_ASN_THM_TAC ADD1 1 
THE! REWRITE. ASM.THK.TAC ADD 1 
THEM RM2LAST.TAC 
THE! RM2LAST.TAC 
THEM RM2LAST.TAC 

THE! REVRITE.ASM_THN.TAC (STM.RULE SUB. ADD. ASSOC) 1 

XSUB. ADD. ASSOC • |- !ibe. (• - b) - e » * - (b ♦ c)X 
THEI RM2LAST.TAC 
THEI REVRITB.ASM 1 3 

THEM REWRITE. ASM.THM.TAC ADD.SUB 1 XADD.SUB - (n+»)-»-nX 

Imn |«t •(«(»• - t) - 1) - 1) - 1) ♦ 1 - «t» -*)-«- 1"X 
THEI ASH.REVRITE.TACD 
THEI IMP.RES.TAC wa.l«u3 
).* 


clo*«_th#ory() ; ; 
qtiitO;; 




APPENDIX C: VERIFICATION OF FPC TOP-LEVEL INTERPRETER 


File: fpc.top.nl 
Author: Jing Pan 
Date: Aug 1990 

Tho top level doscription of tho APU 


loadf * /cagr ad/pan j /holdir/init . nl # ; ; 

load! ‘abatraet.nl 4 ;; 

ay a ten '/bin/ru -f fpc.top.th 4 ; ; 

aot.flag ('aticky 4 , true);; 

now. theory ‘fpc.top 4 ; ; 

loadf 4 aux.dofa.nl 1 ; ; 

map nev.parent [ 1 aux 4 ; ‘interface 1 ; 'fptype 4 ; 'apu.top 4 ] ; ; 


antoload.dofa.and.thna 'aux 4 ;; 
autoload.dofa.and.thna 4 f ptypo 4 ; ; 
autoload.dofa.and.thna 'apu.top 4 ;; 


lot rep.ty * abatract.type 'intorfaco 4 4 fotch 4 ;; 


X 

atato on tho top lovol for APU: 

(f.ac, f.reg, c.ac, c.reg, non) 
our on APU top level: 

<ir> 

noto: (c.ac, c.reg, non, ir) aro actually bo long to 
CPU atato. But ainco FSTR inat ruction changoa 
CPU atato, c.ac, c.rog and non haa to bo 
includod horo. 


X 

Arithmotic Ina tract ion 

porfom arthnotic operation on ainglo or double 
prociaion floating point (roal) nunbera: 
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PADD. PSUB, FMUL, PDIV, PREM 

Thoso optrttio&i aro ontiroly intornal to tho coprocossor. 


(f.ac) ♦ (f.rog i) -> f.ac 

lot PADD ■ nov.dof inition 
('PAW)'. 

•! (rop : “rop.ty) (f.ac : fp) (f.rog : nua->fp) (c.ac : ana) 
(c.rog :nua->nua) (aoa : oaoaory) (i r :nua) (&:nua) . 

PADD a rop (f_a c, f.rog, e.ac, c.rog. aoa) (ir) ■ 
lot (addr :nua) ■ (Addr a ir) in 

((PST (PP.ADD al n2 f.ac (f.rog addr))), f.rog, c.ae, c.rog, 

aoa)" 

);; 


lot PSUB ■ nov.dof inition 
( 4 PSUB* * 

*•! (rop : *rop.ty) f.ac f.rog c.ac c.rog aoa ir a . 

PSUB a rop (f.ac, f.rog, c.ac, c.rog, aoa) (ir) * 
lot (oddr:nua) ■ (Addr a ir) in 
((PST (FP.SUB al n2 f.ac (f.rog addr))), f.rog, c.ac, c.rog, 

aoa)" 

);; 


lot FHUL « nov.dof inition 
(‘FHUL* , 

m t (rop : “rop.ty) f.ac f.rog c.ac c.rog aoa ir a . 

PKUL a rop (f.ac, f.rog, c.ac, c.rog, aoa) (ir) - 
lot (addr:aua) ■ (Addr a ir) in 

((PST (FP.MUL al n2 f.ac (f.rog addr))). f.rog, c.ac, c.rog, 

aoa)" 

);; 


lot PDXT ■ nov.dof inition 
( * FDIV * , 

"! (rop : *rop_ty) f.ac f.rog c.ac c.rog aoa ir a . 

PDIV a rop (f.ac, f.rog. c.ac, c.rog, aoa) (ir) ■ 
lot (addr:nua) ■ (Addr a ir) in 

((PST (FP.DIV al n2 f.ac (f.rog addr))). f.rog. c.ac, c.rog, 

aoa)" 

);; 


Load ft Storo 

Load froa oporand cir to P.AC and storo P.AC to 
tho oporand cir. 


lot PLD * nov.dof inition 
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CPU)', 

•! (rap : "rap.ty) f.ae f.r«| e.ae e.rag sra ir a . 
FLO n rep (f.ae, f.r«|, e.ae, c.r«g, aaa) (ir) ■ 
let data - fetch rap nan (Addr a ir) in 

(((vtofp rep) data), f.rag, e.ae, e.rag, aaa)** 

);; 


lat FSTR - aev.dafinitioa 
<‘FSTR\ 

•! (rap : "rep.ty) f.ae f.rag e.ae e.rag aaa ir a . 

FSTR a rap (f.ae, f.rag, e.ae, e.rag, aaa) (ir) ■ 
lat nev.aea * (stora rap) aaa (Addr a ir) (fptow rap f.ae) in 
(f.ae, f.rag, e.ae, e.rag, nev.aea)" 


X 

lextState.fpc 

Define tha aaxt atata of instr level 


lat lextState.fpc ■ nev.daf in it ion 
('lextState.fpc' , 

■f (rap : ‘rep.ty) ir a . 
lextState.fpc a rap ir ■ 

(((Ope a ir) * 0) ■> (FLD a rap) I 
((Ope a ir) * 1) ■> (FSTR a rap) I 

((Ope a ir) * 2) »> (FADD n rap) I 

((Ope a ir) » 3) -> (FSUB a rap) I 

((Ope a ir) - 4) ■> (FMUL a rap) I 

(FDIV a rap))*' 

);; 


— X 


X 

fpc.top 


Tha top laral spacif i cat ion of tha floating-point 
coprocaaaor 




lat fpc.top » new.def inition 
('fpc.top', 

”! (rap : “rep.ty) (f.ae :nua->fp) (f.rag :nu»->nua->fp) (e.ae :nua->nua) 
(e.rag :nua->nuB->nuB) (aaa:nua->«aaaory) (ir :nua->nua) 

(n:nua) . 

fpc.top a rap (f.ae, f.rag, e.ae, e.rag, aaa) (ir) - 
!t.?t». 

(f.ae t 1 , f.rag t», e.ae t», e.rag t», aaa tO ■ 
lextState.fpc a rap (ir t) (f.ae t, f.rag t, e.ae t, e.rag t, 
aaa t) (ir t)" 


X 

FPCstata 
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tho cpu accunulator and r«gitt«r t noaory, and instruction 
rogistor will bo difforont whon tho curront FP instruction 
tf ini shoo, sine# son# CPU instruction night haw# boon oxocutod 


— X 


lot FPCstato ■ now.dotf inition 
(‘FPCstato 4 . 

•1 (f.w.fp) (tf.rog:nun->tfp) (c.ac:nun) (c.rog : nun->nun) 
(noa:*nono: ry) (irinua) . 

FPCstato (tf.ac. tf.rog, c.ac, c.rog, non) - (tf.se. tf.rog) 44 

);; 


doso.thooryO ; ; 

qpi *();; 


Filo: tf.srith.corroct.nl 
Author: Jing Pan 
Data: Jan. 1991 

Purposo: Voritfication otf FPC top lorol against top lorol 

spoc otf tho BIU, APU. and CPU.sorrico, in tho 
caso otf an arithnotic instruction (FADD. FSUB. 
FMUL. FDIV). 

Thoorios tJsod: aux. biu.top, biu.lonna, apu.top, apu. loans, 

cpu.sorrico, sorrico.loana, tfpc.top, indue, a. 


1 


load tf 4 /csgrad/panj/holdir/init .nl • ; ; 

loadtf ‘abstract.nl 4 ;; 
loadtf ‘tactics.nl 4 ;; 

syston 4 /bin/m -tf tf.arith.coxroct .th' ; ; 
sot.tflng (‘sticky 4 , truo);; 
now.thoory 4 tf.arith.corroct 4 ; ; 


loadtf ‘aux.dotfs.nl 4 ;; 

■ap now.paront [*aux 4 ; ‘biu.top‘; ‘biu.lonna 4 ; ‘apu.top 4 ; 

* apu.lonna 4 ; ‘cpu.sorrico 4 ; 4 sorr ico.lonn 
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fpc.top'; * indue * ; 'a'];; 


■atoload.dcfs.and.tbms 

antoload.dsfs.and.thms 

antoload.dsfs.and.thms 

antoload.dsfs.and.thms 


*biu.top';; 
'biu.lsmma* ; ; 
'apu.top' ; ; 
'apu.lemma* ; ; 


•atoload.dsfs.and.thms 
antoload.dsfs.and.thms 
antoload.dsfs.and.thms 
ant oload.dsf s .and. thms 
•atoload.dsfs.and.thms 
antoload.dsfs.and. thms 


'cpu.service' ; ; 
'service.lema'; ; 
•fpc.top';; 
tf anx < ; ; 

9 indue ' ; ; 

ut.. 

• • » 


lot rop.ty * abstract.type 'interface 1 'fetch';; 
new.thsory.obl igat ions [ 

•! (z:num) (rep: "rep.ty) . ((vtonum rsp (numtov rep z)) « z) M ; 
*! (z:fp) (rep:*rep.ty) . ((wtofp rsp (fptow rsp z)) - z) M ; 

!*• 


lot double.num ■ prowe.thm 
( 'double.num ' , 

•f (z:num) (rsp: ~rep.ty) . (Cvtonum rsp (numtov rsp z)> - z)", 
REPEAT STRIP.TAC 
THE! ASX.REVRITE.TAC □);; 


lot doubls.fp * provs.thm 
('doubls.fp' , 

*! (z:fp) (rsp : ‘rep.ty) . ((wtofp rsp (fptov rsp z)) ■ z) M t 
REPEAT STRIP.TAC 
THE! ASM.REVRXTE.TAC □);; 

map loadf ['digit'; 'decimal'];; 


lot TAC.storm apu. ins tr. lemma C.instr instr * 

Xt->t+l! 

REPEAT STRIP.TAC 

X(l) APU: apu.idls.lsmma — idle, waiting for start signal! 
THE! IXP.RES.TAC apu.idls.lsmma 
TREE RH2LAST.TAC 

THEI REVRITE.ASN.THM.TAC apu. idle 1 
THEM RH2LAST.TAC 
TKEV AS SUM. LI ST (\ths. 

(TAC1 (ol 1 tbs))) 

X(2) BZU — idle, waiting for the new. instr signal! 

THEI IHP.RES.TAC biu.idls.lsmma 
THEI RN2LAST.TAC 

THEI REVRITE.ASH.THH.TAC biu.idls 1 
THEI RK2LAST.TAC 

THEI REWRITE. ASH 11 1 111- — new.instr t"! 

THEI ASSUH.LIST (\ths. 

(TAC1 (si 1 tbs))) 

X(3) CPU ~ start up the communication by sending the instr! 
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THEI IHP.RES.TAC cpu_bogin_loana 
THE! RH2LAST.TAC 

THE! BEVRITE_ASH.THH.TAC cpu.bogin 1 
mi BM2UST.TAC 
THE! ASSUM.LIST (\tha. 

(TAC1 (ol 1 tha))) 

Xt+1 — > t+l+lX 

X(l) corroctnoaa of tho 4-phaao handshaking: cir.road.wri to — 
got "coausd (t+1+1) ■ ir t H X 

THE! BEVR1TE.ASM.THH.TAC eir.ro ad. vr it • 29 X 29 ■ cir.road.vritoX 
mi ASSUN.LIST (\tha. 

(ASSUME.TAC (SPEC *t+l" (ol 1 tha)))) 

TIEI BH2LAST.TAC 

mi BEVRITE.ASH1 25 4 X25-*road t. 4««road(t+l)^road t"X 
mi BEVRITE.ASH1 1 2 
THEI BK3LAST.TAC 

THEI BEVRITE.ASM 4 1 X 4 • writ# (t+1) X 
THEI BEVRITE.ASM 6 1 X6-"addroaa(t+l)«0**X 
THE! ASSUM.LIST (\tha. 

(TAC1 (ol 1 tha))) 

THE! BEVRITE.ASH1 8 2 X8»"dataout*. .* and 2* u coaaand»dataout . . , M X 
THEI BEVRITE.ASM.THH.TAC doublo.nua 1 
THEI BH2LAST.TAC 

X (2) bits idloa until nov.inatr ia high X 
THEI IHP.RES.TAC biu.idlo.loaaa 
THEI POP.TOP.ASSUHP.TAC 
THEI BM2LAST.TAC 

THEI BEVRITE.ASM.THH.TAC biu.idlo l 
THEI BM2LAST.TAC 

THEI BEVRITE.ASM 3 1 X2 * nov.inatr(t+l)X 
THEI ASSUM.LIST (\tha. 

(TAC1 (ol 1 tha))) 


X (3) CPU vaita until tho roaponao coao X 
THEI IHP.RES.TAC cpu.vait.f or.ro sponao.loaaa 
THEI BH2LAST.TAC 

THEI BEVRITE.ASM 1 37 25 X got 'roap.roady (t+1) X 
THEI BEVRITE.ASM 1 2 
THEI RH2LAST.TAC 
THEI ASSUM.LIST (\tha. 

(TAC1 (ol 1 tha))) 

X (4) APU at ill idloa X 
THEI ASSUM.LIST (\tha . ASSUME.TAC 

(RE WRITE. RULE [STM.RULE (ol 30 tha)] (ol 47 tha))) 

X to got "~atart (t+l) M first. 

47 » "'start t" # 30»"s tart (t+1) • a tart t" X 
THEI IHP.RES.TAC apu.idlo.lona 
THEI POP.TOP.ASSUHP.TAC 
THEI BM2LAST.TAC 
THEM BM2LAST.TAC 

THEI BEVRITE_ASN.THM.TAC apu_idlo 1 
THEI BM2LAST.TAC 
THEI ASSUM.LIST (\tha. 

(TAC1 (ol 1 tha))) 

Xt+i+1 -> t »X 

X (1) bin docodos, aonda back roaponao , and atarta up tho apu. 
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first tin* nondot arministic Tt’X 

THEI IHP.RES.TAC biu_docodo_l*ana 
THEM RH2LAST.TAC 

TIEI REWRITE. ASK.THH.TAC biu_docodo 1 
nEI RH2LAST.TAC 

THEI ASSUH.LIST (\ths. ASSUKE.TAC 

(REWRITE.RULE [nood.road; n**d_writ*] (si 1 ths))) 

1BI RH2LAST.TAC 

nEI ASSUH.LIST (\tfas. Xromrito uss *11 othor assumptions! 

(REWRITE.OTHER.TAC 1)) 
nEI RK2LAST.TAC 
TIEI POP.ASSUH (\thl. ASSUKE.TAC 

( (COIV.RULE DBC.EQ.COIV) thl)> 
nEI POP.ASSUH C\thl . ASSUKE.TAC 

(COIV.RULE (0ICE.DEPn.C0IV 
IlV.dsc.COIV) thl) ) 

HEI POP.ASSUH (\thl . ASSUKE.TAC 
(REWRITE.RULE [First] thl)) 
nEI POP.ASSUH (Uhl. 

STRIP. ASSUKE.TAC thl) X g*t rid of Tt* ssd ash* (AAB) two 

sspsrst* assumptions A, B X 

TIEI ASSUH.LIST (\ths. 

(TAC1 (*1 1 ths))) 

X (2) CPU — smiting for th* rosponso froa BIU, induction thorooa 
sait.cpu is used horoX 

THEI IHP.RES.TAC sait.cpu Xrosols* against (cpu.stats t+1 » 1) and 

(cpu.stato t*l*l » 1)X 

THE! RH3LAST.TAC 
THEI P0P.T0P_ASSUHP.TAC 
THEI REWRITE. ASH.THH.TAC StabloUntil 1 
X spocializa nX 
TIEI POP.ASSUH (\thl . 

ASSUKE.TAC (SPEC "((t*-t)-l)-l M thl)) 

THEI IHP.RES.TAC nua_loaaa2 Xa nunorical lama a X 

THEI REWRITE.ASH 1 2 X to rasrita us* th* th*or*a X 

THEI REWRITE.ASH 13 1 X 13 - Stabl*(r**p_r*ady.F, (t a 1) a l.t»> X 


X (3) APU — smiting to b* start*d, induction th*r*i 
sait.apu and *ait_apu2 ar« usad h*r*X 


X (3.1) to g*t f.ac t’ « f.ac t+iai, and f_r*g t ' ■ f_r*g taiai X 
X to g*t 'atart (taiai) first 

29 “ start taiai, SI » start tal, 69 ■ 'start t X 
THEI ASSUH.LIST (\ths. Xr* writ* us* all oth*r assumptions! 
(REWRin.OTHER.TAC 29)) 

THEI IHP.RES.TAC sait.apu X r*solT* against 'start t and 'start (taiai) X 
THEI P0P.T0P.ASSUHP.TAC 
THEI P0P.T0P.ASSUHP.TAC 
THEI RH3LAST.TAC 

THEI REWRin.ASH.THH.TAC Stabl*Until2 1 
THEI RH2LAST.TAC 

THEI REWRin_ASH_THH_TAC StabloUntil 2 2 
THEI RH3LAST.TAC 
TIEI POP.ASSUH (\thl. 

ASSUKE.TAC (SPEC "((t *-t)-l)-l" thl)) 

TIEI POP.ASSUH (Uhl. POP.ASSUH (\th2. 

ASSUKE.TAC (SPEC "((t ’-t)-l)-l" th2) 

THEI ASSUKE.TAC thl)) 



THEV IKP.RES.TAC nua.lm*2 Xgat ((t ♦ 1) ♦ 1) ♦ (((t* - t) - 1) - 1) ■ t*X 
THE! REWRITE. ASH 1 12 X to rawrita us a tha thaoraa X 
THEI RM3LAST.TAC 
THE1 REVRITB.ASM1 2 3 

THEM REVRITE.ASM 10 1 X 1« - Stabla (start ,F, (t + 1) + l.t’) X 
THEV REVRITE.ASM 1 16 2 
THEV RM3LAST.TAC 

X (3.2) to got ev t* ■ cv t+1+1 and iv t> » sv t+1+1 % 

THEV XMP.RES.TAC sait_apu2 X rasolYo against 'start t and 'start (t+1+1) X 
THEV POP.TOP_ASSUMP.TAC 
THEV POP.TOP.ASSUMP.TAC 
THEV RM3LAST.TAC 

THEV REVRITE.ASM.THM.TAC StablaUntil2 1 
THEV RH2LA5T.TAC 

THEV REVRITE.ASM.THM.TAC StabIoUntil2 2 
THEV RM3LAST.TAC 
THEV POP.ASSUM (\thl. 

ASSUME.TAC (SPEC *((t »-t)-l)-l" tbl)) 

THEV POP.ASSUM (\thl. POP.ASSUM (\th2. 

ASSUME.TAC (SPEC "((t »-t)-l)-l" th2) 

THEV ASSUME.TAC thl)) 

THEV REVRITE.ASM 6 1 Xrsvrito uss tha nunarical tharaon X 
THEV REVRITE.ASM 1 6 2 
THEV RM3U5T.TAC 

THEV REVRITE.ASM 10 1 X 19 - Stabl# (start ,F, (t ♦ 1) ♦ l.t’) X 
THEV REVRITE.ASM 1 18 2 
THEV RM3LAST.TAC 

Xt # — >t'+lX 

Xnov «• got cpu.stata V * 1, f.ac t* • f.ac t+1+1, i.rog t» - f.rag t+1+1 X 
X (1) CPU goos to stats 2 to analyxa tho rosponso, and find out 
it doasn't bavt to do anything sis# X 
THEV IMP .RES. T AC cpu.wait.f or.rasponsa.laaaa 
THEV RM2LAST.TAC 
THEV POP.TOP.ASSUMP.TAC 
THEV RM2LAST.TAC 

THEV REWRITE. A SMI 16 1 X 16 * rasp.raady t 1 X 
THEV RM2LAST.TAC 
THEV ASSUM.LIST (\ths. 

(TAC1 (al 1 tbs))) 

X t'~ >t”X 

X (1) APU axscuts C.instr. 

«a naad to gat (start t») A (Opc n (dacoda.rag t*) « 2) first! 

X24 * 'dacoda.rag t* » ir t" and 
•3 * 'Opc n(ir t) ■ 2" X 
THEV ASSUM.LIST (\ths. ASSUME.TAC 

(REVRITE.RULE [STM. RULE (al 24 ths)] (al 83 ths))) 

THEM XMP.RES.TAC apu.instr .loans 
X to natch against "! t. (start t) A (Opc a (ir t)) ■»> “X 
THEV ASSUH.LIST (\ths. ASSUME.TAC 
(HOLJUTCHJIP (al 1 ths) 

(COVJ (al 22 ths ) (al 2 ths)))) X 22 - start t’X 
THEV RM2LAST.TAC 

THEV REVRITE.ASH_THM.TAC C.instr 1 
THEV RM2LA5T.TAC 
THEV POP.ASSUM (\thl. 

STRIP. ASSUME.TAC thl) X gat rid of ?t* and asks (A/\B) tvo 
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separate assumptions A, B X 

THEI ASSUH.LIST (\ths. ASSUKE.TAC 

(REVRITE.RULE [LET.DEF] (ml 1 ths))) 

THEM RK2LAST.TAC 

THEI ASSUH.LIST (\ths. ASSUKE.TAC 
(BETA.RULI (ml 1 ths))) 

THEI RH2LAST.TAC 

THEI ASSUH.LIST (Yths. Xr a write use all other assumptions! 

(REVRITE.OTHER.TAC 1)) 

THE! AH2LAST.TAC 
THEI ASSUK.LIST (\ths. 

(TAC1 (si 1 ths))) 

X t •♦!-->* ”X 

X (1) BIU idles, waiting for tha naxt FP instruction X 
X (2) CPU can procaad with tha naxt CPU instruction X 

X To rewrite tha goal X 
THEI OICE.REVRITE.TAC [instr] 

THEI OICE.REVRITE.TAC [LET.DEF] 

THEI BETA.TAC 

THEI REVRITE.TAC [FPCstata] 

THEI EXISTS .TAG M t”:nun" 

THE! ASH.REVRITE.TACD; ; 


X 

PADD. Corract 

Tp prora tha corractnass of PADD, upon tha intaraction 
among tha BIU, APU and CPU. 

X 

lat PADD. Correct * prove. tha 
( * PADD.Corract * , 

M ! (rap : “rep.ty) (response : nun- >num) ( operand. out :num->fp) 

(decode.reg :num->num) (biu.stata :nun->num) 

(start : num->bool) (command :nun->nun) (condition:min->mim) 

(control : nun- >num) ( operand, in: nun- >fp) (done :num->bool) 

(new. instr : num-> bool) (operand_ready:nun->bool) (resp.ready:nun->bool) 
(f.ac : num->fp) (f.rag : nun->nun->fp) 

(c* sv : nun->boolfboolfbooltbool) 

(c.ac :nun->nua) (c.rag : nu*->nun->nun) (nen:nun->«menory) 

(ir : nu*->num) (cpu.ststa :nua->nun) (address :nun->nun) 

(read write :nun->bool) (detain dataout : nun->*wordn) (n:num). 

(biu.top.cpu n rap (response, operand. out , da code. rag, resp.ready, 
f.ac, biu.stata, start) 

(command, condition, control, operand. in, dona, naw.instr, 
©perand.ready) /\ 

apu.top.cpu n rap (f.ac, f.rag, cw, sw, dona) 

(start, decode .rag) A 

cpu.service n rap (c.ac, c.rag, mam, ir, dataout, address, read, write, 
cpu.state) (resp.ready, detain) A 
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(cir_r#ad_erit# r#p address read writ# detain dataout 

coaaand response op# rand. in op#rand.out condition 
control nev.instr op#rand.ready)) 

(ft. ((Opc a (ir t) » 2) /\ 

(•(start t)) /\ 

(•(nev.instr t)) A 
(' (r#*p_r#ady t)) A 
(•(road t)) A 
(biu.state t ■ 0) A 
(cpu.stat# t » 0)) -»> 

(? (t’:nua). 

((f.ac t’, f.reg t») - 

FPCstat# (FADD n r#p (f.ac t, f.reg t, c.ac t, 
c.reg t, a#a t, ir t))>))", 

TAC.stora apu.FADD.leaaa C.FADD FADD 


FSUB.Corr#ct 

Tp pro## th# corr#ctn#ss of FSUB , upon th# interaction 
aaong th# BIU, APU and CPU. 


lot FSUB.Corroct - pro##.tha 
( ' FSUB.Correct * , 

"! (r#p : “rep.ty) (response :nua->nua) (operand. out :nua->fp) 

(d#cod#.r#g :nua->nua) (biu.stat# :nua->nua) 

(start : nua->bool) (coaaand :nua~>nua) (condition: nun- >nua) 

(control : nun- >nua) (op#rand.in:nua->fp) (don#:nua->bool) 

(nev.instr : nua-> bool) (operand.ready:nua->bool) (r#sp_reedy:nua->bool) 
(f.ac : nua->fp) (f.r#g : nun->nun->fp) 

(c« so : nun~>bool9boolfbooltbool) 

(c.ac: nun ->nua) (c.r#g:nua->nun->nun) (a#a:nun->*neaory) 

(ir:nun->nun) (cpu.stat# :nun->nun) (address :nua->nuu) 

(r#ad writ# :nun->bool) (detain dataout :nun->#vordn) (n:nua). 

(bin.top.cpu n r#p (response, oporand.out , decode .reg, resp.ready, 
f.ac, biu.stat#, start) 

(coaaand, condition, control, operand. in, don#, n#w.instr, 
op#rand.r#ady) A 

apu.top.cpu n r#p (f.ac, f.r#g, cv, so, don#) 

(start , d#cod#.r#g) A 

cpu.*#r#ic# n r#p (c.ac, c.r#g, a#a, ir, dataout, address, read, writ#, 
cpu.stat#) (r#sp. ready, detain) A 

(cir.read.vr it# r#p address r#ad writ# detain dataout 

coaaand r#spons# operand. in oporand.out condition 
control nee.instr operand.ready)) 
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(ft. ((Opc a (ir t) ■ 3) /\ 

('(start t)) A 
('(now.instr t)) A 
('(reap .ready t)) A 
('(read t)> A 
(biu.stete t * 0) A 
(cpu.state t » 0)) ■»> 

(? (t* :nua) . 

((f.u t\ f.rog %*) - 

FPCetate (PSUB n rep (f.ac t , f.rog t» c.ac t, 
c.reg t p km t, ir t))))) H # 
TAC.stom apa.PSUB.l«KKa C.PSUB PSUB 


FHUL.Correct 


Tp prows th« correctness of FHUL, upon the interaction 
among the BIU, APU and CPU. 

x 


lot FHUL.Correct * prows. thn 
( * FMUL.Corroct 1 , 

* ! (rop : “rep.ty) (response : nuK->nuB) ( operand. out :nun->fp) 

(decode _reg : nun- >nua) (biu.stato :nun->nun) 

(start : nua->bool) (couand: nun ->nun) (condition: uun->uun) 

(control: nun- >nua) (operand.in:nun->fp) (done: nun- >bool) 

(nov.instr : nun-> bool) (operand.ready :nun->bool) (resp.ready :nun->bool) 
(f.ac : nun->fp) (f.rog : nua->nun->fp) 

(cv sv : nun- >boolfboolfboolf bool) 

(c.ac: nun- >nun) (c.reg : nun->nun->nun) (nen:nua->*KMory) 

(ir :nuK->zniK) (cpu.atate :nua->cua) (address :nun->nun) 

(road write :nun->bool) (detain dataout : nun- >*wordn) (n:nua). 


(biu.top.cpu n rop (response, operand. out, decode. reg, resp.ready, 
f.ac, biu.state, start) 

(couand, condition, control, operand. in, done, now.instr, 
operand. ready) A 

apu.top.cpu n rop (f.ac, f.rog, cw, sw, done) 

(start, docodo.rog) A 


cpu.serwice n rop (c.ac, c.reg, non, ir, dataout, address, road, write, 
cpu.atate) (rosp.ready, detain) A 


(cir .read. write rop address road write detain dataout 

couand response operand. in operand. out condition 
control now.instr ope r and.ro ady) ) 

(ft. ((Opc n (ir t) ■ 4) A 
('(start t)) A 
('(now.instr t)) A 
('(resp.ready t)) A 
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(-(reed t» A 
(biu.state t ■ 0) A 
(cpu.state t » 0)) ■■> 

(? (t>:nun). 

((f_ac t*, f.rag t*) - 

FPCstata (FHUL n rep (f.ac t, f.r«g t, c.ac t , 
c.rag t, nan t. ir t)))))'\ 
TAC.storn apu.FKUL.lMM C.FKUL FHUL 
/»» 


FDIV.Correct 


Tp prove tha corractnaaa of FDIV, upon tha intaraction 
anong tha BXU. APU and CPU. 


-X 


lat FDIV.Corract ■ prove. tha 
(‘FDIY.Correct c , 

*! (rap : “rap.ty) (response :nua->nun) (operand. out :nua->fp) 

(dacoda.rag : nua->mia) (biu.at at a : nun->nua) 

(start : nun->bool) (coutad : nun~>mxa) (condition:nua->nua) 

(control : uua->xxua) (operand.in:nua->fp) (dona: nun- >bool) 

(nav.inatr : nun-> bool) (operand.ready:nun->bool) (resp.ready :nun->bool) 
(f.ac : nua~>fp) (f.rag : nua->nun->fp) 

(c« aw : nua->bool#bool#booltbool) 

(c.ac : nun->nun) (c.rag : nun->nua->nun) (aaa : nua->*neaory ) 

(ir :nun->nun) (cpu.atata :nun->nua) (address: nun- >nua) 

(road write :nua->bool) (detain dataout :nun->*word&) (n:nun). 


(biu.top.cpu n rap (response, operand. out, dacoda.rag, rasp.raady, 
f.ac, biu.stata, start) 

(connand, condition, control, operand. in, dona, naw.instr, 
operand.reedy) /\ 


apu.top.cpu n rap (f.ac, f.rag, cw, sw, dona) 

(start , dacoda.rag) A 

cpu.servica n rap (c.ac, c.rag, nan, ir, dataout, address, read, write, 
cpu.state) (rasp.raady, detain) A 

(cir.read.writa rap address read write detain dataout 

connand response operand.in operand. out condition 
control naw.instr opar and. ready ) ) 

ee> 

Ot. ((Opc ft (ir t) ■ 6) A 
('(start t)) A 
('(naw.instr t)) A 
('(resp.ready t)) A 
('(read t)) A 
(biu_state t • 0) A 
(cpu.state t • 0)) ■»> 

(T (t 1 :nun) . 

((f.ac t\ f.rag t # ) • 
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FPCstata (PDIV n ra p (f.ac t, f.rtf t, c.ac t, 
c.r#| t, mb t, ir t)))))*\ 
TAC. storm apu.PDIV.laaBa C.FDIV FDIV 
) . . 


closa.thaoryO;; 

qnitO;; 


Fila: fld.corract.ml 
Author: Jing Pan 
Data : Jan. 1991 

Purpose: Verification of FPC top level against top level 

spac of tha BIU, APU, and CPU.service, in tha 
casa of an PLD instruction. 

Thaorias Usad: aux, biu.top, biu.ltnaa, apu.top, apu.lanaa, 

cpu.serrice, sarvice.laaBa, fpc.top, indue* a. 




loadf Vcsgrad/panj/holdir/init .ml* ; ; 

loadf * abstract . b1 * ; ; 
loadf * tactics. ml* ; ; 

system ‘/bin/rm -f fld.correct.th* ; ; 

set.flag (‘sticky* , trua);; 

nav.theory ‘f ld.correct * ; ; 


load f ‘aux.defs.Bl*;; 


Bap nav_parant [*aux‘; *biu.top* ; ‘biu.lamma*; *apu.top* ; 

‘apu.leBma* ; 'cpu.serrice* ; 'aerviee.leflm 
‘fpc.top*; ‘indue*; ‘a*];; 


autoload.dafs.and.thns 

autoload.dafs.and.thns 

autoload.dafa.an4.thBS 

antoload.dafs.and.thBS 


*biu.top* ; ; 
‘biu.lsBBa* ; ; 
*apu.top*;; 
‘apu.leBma' ; ; 


autoload.dafs.and.thBs 
aut oload.dafs . and. thus 
autoload.dafs.and.thBS 
autoload.dafs.and.thBS 
autoload.dafs.and.thBS 


‘cpu.ssrrica*; ; 
‘service.leama* 
'fpc.top* ; ; 
‘anz* ; ; 

‘indue* ; ; 



Mtoload.dili.n4.tias 'a';; 


let rep.ty ■ abstract.typo 'interface * 'fetch';; 


nev.thoory.bbligations [ 

*f (x:mai) (rep : “rep.ty ) . ((rtonua rep (nuatov rep x)) ■ x )"; 
*! (x:fp) (rep: “rep.ty). ((vtofp rap (fptov rep x)) ■ x) M ; 

Jm 


let double.aua ■ prova.thB 
( l donbltjna > i 

“! (x:nua) (rep: “rep.ty). ((rtonua rep (nuatov rap x)) * x)°» 
KEPEAT 8TRIP.TAC 
THE! ASH.KEVRITE.TAC □ ) ; ; 


lit double.fp * prove.tha 
Cdoabla.lp 1 , 

"I (x:fp) (rep: “rep.ty). ((vtofp rop (fptow rop x)) ■ x) H , 
KEPEAT STRIP.TAC 
THEV ASK.REVRITE.TAC □ ) ; ; 

asp load! ['digit'; 'deciaal'];; 


FLD. Correct 

Tp prove the correctness of FLD, upon the int or action 
among tbo BIU, APU and CPU. 

j 


lot FLD. Correct « prove.tha 
('FLD.Correct 

"! (rop : “rep.ty) (response :nua*>ni 2 a) (operand_out :nua->fp) 

(decode .reg:nua->xma) (biu.state:nua~>nua) 

(start : nua->bool) (coaaand:nua->nua) (condi t ion :uua->nua) 

(control :nua->nua) (operand. in: nua->fp) (done :nua~>bool) 

(nev.instr : nna-> bool) (operand.ready:nua->bool) (resp.ready:nua->bool) 
(f.ac : nua->fp) (f.reg : nua->nua->fp) 

(cv so : nua->bool#bool#bool#bool) 

(c.ac :nua->sua) (c.reg : nua->nuB->nua) (aea:nua->*aeaory) 

(ir :nua~>xma) ( cpu.a t at • : nua- >nua) (address :nua->nuB) 

(road vrito :nua->bool) (dot sin dataout:nua->*vorda) (n:nua). 


(biu.top.cpu a rop (response, operand. out , decode .reg, resp.ready, 
f.ac, biu.state, start) 

(coaaand, condition, control, operand. in, done, new. ins tr, 
operand_ready) A 

apu.top.cpo a rop (f.ac, f.rog, cv, sv, done) 

(start, docode.rog) /\ 

cpu.service a rop (c.ac, c.rog, aea, ir, dataout, address, road, vrito. 


82 



cpu.atata) (rasp.raady, dattin) 


A 


(cir.raad.writa rap addrass raad writs da tain dataout 

coma and raaponsa oparand.in op a rand, out condition 
control naw.instr oparand.rsady)) 

— > 

(ft. «Opc n (ir t) - 0) A X FLD X 
(-(•tart t)) A 
(-(naw.instr t)> A 
(-(rasp.raady t)) A 
(-(road t)) A 
(biu.stats t * 0) A 
(cpu.stata t » 0)) "> 

(T (t* :nun) . 

((f.ac t* t f.rag t*) - 

FPCatata (FLD n rap (f.ac t, f jrag t, c.ac t # 
c.rag t, nan t, ir t))))) H # 

Xt->t+lX 
REPEAT STRIP.TAC 
X(l> APU: idle X 
THEI IHP.RES.TAC apu.idla.lanna 
THE! RM2LAST.TAC 

THEI REVRITE.ASH.THH.TAC apu.idla 1 
THEI RH2LAST.TAC 
THEI AS SUM. LI ST (\ths. 

(TAC1 (al 1 ths))) 

X (2) I XU — idla, waiting for tha naw.inatr aignalX 
THEI IHP.RES.TAC biu.idla.laaaa 
THEI RK2LA5T.TAC 

THEI REVRITE.ASH.THH.TAC biu.idla 1 
THEI RH2LAST.TAC 

THEI REVRITE.ASH 11 1 X 11- —naw.inatr t"X 
THEI ASSUH.LIST (\ths. 

(TAC1 (al 1 tha))) 

XO) CPU — start up tha coaaunication by sanding tha instrX 
THEI IHP.RES.TAC cpu.bagin.laaaa 
THEI RH2LAST.TAC 

THEI REVRITE.ASH.THH.TAC cpu.bagin 1 
THEI RM2LAST.TAC 
THEI ASSUH.LIST (\tha. 

(TAC1 (al 1 tha))) 

Xtai — > t+l+lX 

X(l) corractnaaa of tha 4-phasa handshaking, , "writs": cir.raad.writa 
gat "conaand (t+lal) - ir t M X 

THEI IEVH1TE.ASM.THH.TAC cix.raad.writ a 29 X 29 - cir.raad.writaX 
THEI ASSUH.LIST (\tha. 

(ASSUME.TAC (SPEC "t+1" (al 1 ths)))) 

THEI RH2LAST.TAC 

THEI REVHITE.ASH1 26 4 X25-'raad t, 4- H raad(t+l)-raad t"X 
THEI HEVHITE.ASH1 1 2 
THEI RH3LAST.TAC 

THEI HEVHITE.ASH 4 1 X 4-writa(t*l) X 
THEI HEVHITE.ASH 41 X 6-"addrass(t+l)-0"X 
THEI ASSUH.LXST (\ths. 

(TAC1 (al 1 ths))) 

THEI RH3LAST.TAC 

THEI HEVHITE.ASH1 7 2 X7»"dataout-. . " and 2-"coanand*dataout. . ."X 
THEI HEVHITE.ASH.THM.TAC doubla.nun 1 



THEM RH2LAST.TAC 


X (2) bin idles until new.instr is high X 
THE* XHP.RES.TAC biu.idls.lsns 
THE* POP_TOP.ASSUMP.TAC 
THE* RH2LAST.TAC 

THE! REWRITS_ASH_THH_TAC biu.idls 1 
THE* RM2LAST.TAC 

THE* IEHRITE.ASN 3 1 X2 » aew_instr(t*l)X 
THE* ASSUH.LIST (\ths. 

(TAC1 (si 1 tbs))) 

X (3) CPU wsits until ths rssponss eons X 
THE* XHP.RES.TAC cpu.ssit_for_rssponss.lsns 
THE* IM2LAST.TAC 

THE* REWRITE. ASH 1 36 24 X 36 - 'resp.ready t. 

24 - resp_readjr(t+l) » resp.ready t X 

THE* REWRITE. ASH 1 2 
THE* RM2LAST.TAC 
THE* ASSUH.LIST (\ths. 

(TAC1 (si 1 tbs))) 

X (4) APU still idlss X 

THE* ASSUH.LIST (\tbs. ASSUME.TAC 

(REWRITE. RULE [SYH.RULE (si 29 tbs)] (si 46 tbs))) 

X to got "'start (t+l) M first. 

46 - "'start t", 29- H start(t+l) - stsrt t" X 
THE* XHP.RES.TAC spu.idls.lsus 
THE* POP.TOP.ASSUMP.TAC 
THE* RH2LAST.TAC 
THE* RH2LAST.TAC 

THE* REWRITE.ASN.THH.TAC spn.idls 1 
THE* RM2LAST.TAC 
THE* ASSUH.LIST (\tbs. 

(TAC1 (si 1 tbs))) 

Xt+i+i -> t'X 

X (1) *IU dscodss, ssnds back rssponss, and starts up tbs apu. 

first tins nondstsrninistic Tt’X 

THE* XHP.RES.TAC biu.dscods.lsns 
THE* RH2LAST.TAC 

THE* REWRITE.ASH_THN.TAC biu.dscods 1 
THE* RH2LAST.TAC 

THE* ASSUH.LIST (\tbs. ASSUHE.TAC 

(REWRITE. RULE [nssd.rssd; nssd. writs] (si 1 tbs))) 

THE* RH2LAST.TAC 

THE* ASSUH.LIST (\tbs. Xrswrits uss all otbsr assunptioasX 
( REWRITE. OTHER.TAC 1)) 

THE* RH2LAST.TAC 

THE* POP.ASSUH (\tbl. ASSUHE.TAC 

( (COIV.RULE DEC.EQ.COHV) tbl)) 

THE* POP.ASSUH (\tbl. ASSUHE.TAC 

(COIV.RULE (OICE.DEPTH.COIV 
I*V_dse_CO*V) tbl)) 

THE* POP.ASSUH (\thl. ASSUHE.TAC 
(REWRITE. RULE [First] tbl)) 

THE* POP.ASSUH (\tbl. 

STRIP. ASSUME.TAC tbl) X gat rid of ?t* and aaks (A/\B) two 

ssparats assunptions A, I X 

THE* ASSUH.LIST (\tbs. 

(TAC1 (si 1 tbs))) 
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X (2) CPU — waiting for the rosponso froa BIU, induction thereon 
sait.cpu is used here. 

At tho ond so got cpu.stato t* ■ 1, t ’ ■ bo* (t+1+1) 
and ir t’ - ir (t+1+1) X 

THE1 IHP.RES.TAC sait.cpu Xrotolro against (cpu.stato t+1 » 1) and 

(cpu.stato t+1+1 ■ 1)X 

THE! RH3LAST.TAC 
THEM POP.TOP_ASSUNP.TAC 
THEI REVAITE.ASN_THN.TAC StabloUntil 1 
X specialize aX 

THEI POP.ASSUN (\thl. 

ASSUHE.TAC (SPEC "((t'-t)-l)-l" thl)) 

THEI IHP.RES.TAC nuB_loBBa2 Xa nuaorical lemma X 
THEI REVRITE.ASH 12 X to rosrito use tho thooroa X 
THEI REWRITE. ASH IS 1 X IS » Stablo(rosp_roady ,F, (t ♦ 1) ♦ l.t») X 
X to got bob and ir right X 
THEI RN2LAST.TAC 
THEI RH2LAST.TAC 

THEI IHP.RES.TAC sait_cpu2 Xrosolso against (cpu.stato t+1 “ 1) and 

(cpu.stato t+1+1 ■ 1)X 

THEI POP.TOP.ASSUNP.TAC 
THEI POP.TOP.ASSUNP.TAC 
THEI RN3LAST.TAC 
THEI RH3LAST.TAC 
THEI RH3LAST.TAC 

THEI REVRITE_ASN.THH.TAC StableUntil2 1 
THEI REVRITE_ASH_THH_TAC StabloUntil2 3 
THEI RN3LAST.TAC 
THEI RM3LAST.TAC 
X specialize nX 
THEI POP.ASSUN (Uhl. 

ASSUHE.TAC (SPEC "((t '-t)-i)-l" thl)) 

THEI POP.ASSUN (Uhl. POP.ASSUN (\th2. 

ASSUHE.TAC thl 

THEI ASSUHE.TAC (SPEC "((t »-t)-l)-l" th2))) 

THEI IHP.RES.TAC nua_loBBa2 Xa nuaorical leaaa X 

THEI REVRITE.ASH1 1 2 X to rosrito use tho thooroa X 

THEI REVRITE.ASH1 2 4 

THEI RM3LAST.TAC 

THEI RH3LAST.TAC 

THEI RN3LAST.TAC 

THEI REVRITE.ASH 13 1 X 13 - Stablo(rosp_roady.F. (t ♦ 1) ♦ l.t») X 
THEI REWRITE. ASH 1 13 2 
THEI RN3LAST.TAC 

X (3) APU — aaiting to bo started, induction thereona 
sait.apu used horo to got f.ac t ’ • f.ac t+1+1 , 
and f_reg t* ■ f_reg t+1+1 X 
X to got 'start (t+1+1) first, 2S • start t+1+1 X 
THEI ASSUN.UST (Uhs . Xrosrito use all other assuaptionsX 
(REWRITE. OTHER. TAC 29)) 

THEI IHP.RES.TAC sait.apu X rosolso against 'start t and 'start (t+1+1) X 

THEI POP.TOP_ASSUHP.TAC 

THEI POP.TOP_ASSUNP.TAC 

THEI POP_TOP.ASStMP.TAC 

THEI POP.TOP_ASSUHP.TAC 

THEI RH3LAST.TAC 

THEI REVRITE_ASH.THH.TAC StableUntil2 1 



THEM RH2LAST.TAC 

THE! REWUTE.ASN_im.TAC StobloUntil2 2 
THEN RM3LAST.TAC 
THEE POP.ASSUN (\thl. 

ASStME.TAC (SPEC "((t'-t)-D-l" thl)) 

THEE POP.ASSUN (\thl. POP.ASSUN (\th2. 

ASSUNE.TAC (SPEC "((t'-t)-l)-l M th2) 

THEE ASSUNE.TAC thl)) 

THEE ZHP.RES.TAC na.lim3 Xfot ((t ♦ 1) ♦ 1) ♦ (((t* - t) - 1) - 1) ■ t*X 

THEE REWRITE.ASH1 12 X to rovrito uso tho thooroa X 

THEE RN3LAST.TAC 

THEE REWUTB.ASNl 2 S 

THEE RN3LAST.TAC 

THEE RH3LAST.TAC 

THEE REWUTB.ASN 14 1 X 14 - Stoblo (otort ,P,(t ♦ 1) ♦ l,t») X 
THEE REWUTE.ASH1 14 2 
THEE RH3LAST.TAC 

Xt*—>t»+lX 

X (1) CPU |cu to stoto 2 to onoljrzo tho rosponso X 
THEE INP.RES.TAC cpu_voit.for_roaponso.louo 
THEE RH2LAST.TAC 
THEE POP.TOP_ASSUNP.TAC 
THEE RH2LAST.TAC 

THEE REWRITE. ASH 11 1 X 11 ■ rosp.roody t’ X 
THEE ASSUK.LXST (\tha. 

(TAC1 (ol 1 tha))) 


X (2) BZU voit for tho oporond in atoto 2 (ainco 'oporond.roody t') X 
THEE INP.RES.TAC biu_voit.op.louo 
THEE RH2LAST.TAC 

THEE REWRITE.ASN_THM.TAC biu.voit.op 1 
THEE RH2LAST.TAC 
THEE ASSUN.LIST (\tha. 

(TAC1 (ol 1 tha))) 

X (S) APU idloa X 
THEE INP.RES.TAC opu.idlo.louo 
THEE POP.TOP.ASSUNP.TAC 
THEE RN2LAST.TAC 
THEE RH2LAST.TAC 

THEE REWRITE_ASN.THM.TAC opn.idlo 1 
THEE RN2LAST.TAC 
THEE ASSUN.LIST (\ths. 

(TAC1 (ol 1 tha))) 

X *»♦! — > t *0-101 X 

X (1) "rood" — corroctnoss of tho 4-phoao insuros that tho roapouo 
is put into tho dotoia bus so that tho CPU can rood it X 
THEE REWRlTE.ASH_Tm.TAC cir_rood_vrito 91 X 91 ■ cir rood uritoX 
THEE ASSUN.LXST (\tha. 

(ASSUNE.TAC (SPEC ”t»*l:nu” (ol 1 tha)))) 

THEE RH2LAST.TAC 

THEE REWRITE.ASH 16 1 X 16 - rood(t>ol) X 
THEE REWRITE. ASH 17 1 X IT » M oddross(t’o-l)ai«X 
THEE ASSUN.LIST (\ths. 

(TAC1 (ol 1 tha))) 
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X bow w* f*t "datain((t' ♦ 1) ♦ 1) » nuatow r*p(r*spons*(t* ♦ 1))" X 
X (2) CPU waits for on* cycl* for th* 4phas« X 
THE* IHP.RES.TAC cpu_wait_4phas*_l*aaa 
THEI RH2LAST.TAC 
TBEI ASSUH.LIST (Uhs. 

(TAC1 (*1 1 ths))) 

X (3) BIU idlos X 
THEI IHP.RES.TAC biu_fld_l*waa 
THEI RH2LAST.TAC 
THEI REHRITE.ASH 11 1 
THEI POP.ASSUH (\thl. 

STRIP.ASSUHE.TAC thl) X got rid of Tt> X 
THEI ASSUH.LIST (\ths. 

(TAC1 (*1 1 ths))) 

X (4) APU idlos X 

THEI ASSUH.LIST (\ths. Xrowrit* us* sll oth*r sssunptionsX 

(REVRITE.OTHEH.TAC 26)) X 26-"start(t* ♦ 1) » stsrt t' * X 
THEI IHP.HES.TAC apu_idl*_l*aaa 
THEI PDP.TOP_ASSUKP.TAC 
THEI POP.TOP.ASSUMP.TAC 
THEI POP.TOP_ASSUHP.TAC 
THEI IH2LAST.TAC 

THEI HEVRITE_ASH.THH.TAC spu.idl* 1 
THEI RH2LAST.TAC 
THEI ASSUH.LIST (\ths. 

(TAC1 (*1 1 ths))) 


X t**l+l --> t'+U-l+l X 
X (1) 4-phss* “idl*" X 

THEI RE WRITE. ASM.THM.TAC eir.r*sd_writ* 11T X 11T - cir_r*sd_srit*X 
THEI ASSUH.LIST (\ths. 

(ASSUHE.TAC (SPEC "(t'-t-D+lrnua" (si 1 ths)))) 

THEI HH2LAST.TAC 

THEI REHRITE.ASH IS 1 X 18 -"'r*sd(t »+l+l)"X 

THEI REHRITE.ASH IT 1 X IT » *arits(t**l+l) X 

THEI POP.ASSUH (Uhl. 

STRIP.ASSUHE.TAC thl) X ask* (A/\B) 2 assumptions X 

X (2) CPU r*ads th* rospons* and puts th* data (oporand f*tch*d 
fron th* a*a) to th* databus X 
THEI IHP.RES.TAC epu_r*ad_r*spons*_l*aaa 
THEI RH2LAST.TAC 

THEI ASSUH.LIST (\ths. ASSUHE.TAC 

(REVRITE.RULE [LET.DEP] (*1 1 ths))) 

THEI RH2LAST.TAC 

THEI ASSUH.LIST (\ths. ASSUHE.TAC 
(BETA.RULE (*1 1 ths))) 

THEI RH2LAST.TAC 

THEI ASSUH.LIST (\ths. (ASSUHE.TAC 

(REVRITE.RULE [*1 26 ths; doubl*_aua] (*1 1 ths)))) 

THEI RH2LAST.TAC X 29 « datain(t **1*1)". . . X 

THEI REVRITE.ASH1 63 41 X 41 - r*spons*(t ’♦l)-r*spons* t’ , 

63 • raspons* t* ■ r*ad_p X 

THEI REWRITE. ASH 1 1 2 
THEI RH3LAST.TAC 

THEI POP.ASSUH (Uhl • ASSUHE.TAC 

((COIV.RULE DEC.XQ.COIV) thl)) 

THEI POP.ASSUH (Uhl. ASSUHE.TAC 


(COHV.RULE (OHCE.DEPTH.COHV 

nv.d«c.coiY) tbi)) 

THU IX2LAST.TAC 
THE! ASSW.LIST (\ths. 

(TACl (si i ths))) 

S (3) BID waits in stats 3 X 
TIBI IHP.RES.TAC biu.fld.lssM 
THEH POP.TOP.ASSUIP.TAC 
THE! RH2LAST.TAC 

THEI REWRITE. ASH 11 1 X 11 ■ 'opsrsnd.rssdy (t*+l+l) X 
THEH POP.ASSUH (\thl. 

STRIP .ASSUHE.TAC thl) X gst rid of ?t* X 
THEH ASSOU.IST (\ths. 

(TACl (si 1 ths))) 

X (4) APU idlss X 

THEH ASSIM.LIST (\ths. Xrswrits uss all othsr assunptionsX 

(REWRITE. OTHER. TAC 24)) X 26-”start(t*+l+l) - start (t’+l) " X 

THEH IHP.RES.TAC apu.idls.lsana 

THEH POP_TOP.ASSUHP.TAC 

THEH POP.TOP_ASSUHP.TAC 

THEH POP.TQP.ASSUKP.TAC 

THEH POP.TOP.ASSUHP.TAC 

THEH HH2LAST.TAC 

THEH REWUTE.ASH_THH.TAC apu.idls 1 
THEH RR2LAST.TAC 
THEH ASSON.LXST (\ths. 

(TACl (si 1 ths))) 


X t'+l+l+l --> t'+l+l+l+l X 

X (1) "writs" — ths coorsctnsss property of ths 4-phass protocol 
insurss that ths data in put into ths opsrand.in cir X 
THEH REVRITE.ASK_THH.TAC cir.rsad.srits 142 X142 » cir.rsad writs! 

THEH ASSW.LIST <\ths. 

(ASSUHE.TAC (SPEC «((t»+l)+l)+l« (si 1 ths)))) 

THEH RK2LAST.TAC 

THEH REWUTE.ASH 18 1 X 18 • "'rsad(t *+1+1+1) "X 

THEH REWUTE.ASM IT 1 X 17 » *rits(t *+1+1+1) X 

THEM REWUTE.ASH 18 1 X 19*"addrsss(t ’+1+1+1)«2 (opsrand.in) "X 

THEH PDP.ASSUH (\thl. ASSUHE.TAC 

((C0HV.RULE OEC.EQ.COHV) thl)) 

THEH PQP.ASSUH (\thl. ASSUHE.TAC 
(C0HV.RULE (OHCE.DEPTB.COHV 
IHV.dsc.COW) thl)) 

THEH ASS0H.UST (\ths. 

(TACl (si 1 ths))) 

THEH REWRITE. ASX 1 22 3 

X22-"dataout(t'+3)*fstch rsp nsn (Addr n ir(t*+3))" and . 
3***opsrand_out (t ’+4) * wtofp rsp dataout(t*+3)"X 

X (2) BIU waits in stats 2 X 
THEM IHPJtES.TAC biu_f ld_lsMa 
THEH POP.TOP.ASSUHP.TAC 
THEH POP.TaP.ASSUHP.TAC 
THEH RH2LAST.TAC 

THEH REWUTE.ASH 4 1 X 4 ■ 'opsrand.rssdy (t *+1+1+1) X 
THEH PDP.ASSUH (\thl. 

STHIP.ASSUHE.TAC thl) X gst rid of ?t* X 
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TWO ASSUH.UST (\ths. 

(TAC1 (el 1 ths))) 


1 (S) APO idles X 

TWM ASSUH_LIST (\ths. Xrewrite us* all other sssusptionsX 

(REWRITE.OTHER.TAC 19)) Xl9«"start(t , ei*l*l) - start (t*elel)"X 
THD IHP.RES.TAC apu.idle.lenna 
no POP.TOP.ASSOMP.TAC 
Tm POP_TOP.ASSOMP.TAC 
TKI P0P_T0P_ASS0MP_TAC 
Tm POP.TOP.ASSOMP.TAC 
IBI P0P.T0P_ASS0MP.TAC 
THn RM2LAST.TAC 

Tin REWlin.ASH_TSM.TAC apu.idl* 1 
HU RH2LAST.TAC 
Tin AS SOM_ LI ST (\ths . 

(TAC1 (ol 1 tbs))) 

X («) CPU it free no* X 


X t'eiel+1-H — > t * * * * *X 

X (1) 110 pot th* content of operand. in to f.nc X 
X th* rest idles or do other things X 
Tm XHP.RES.TAC bin.fld.lenne 
Tin POP.TQP.ASSOMP.TAC 
ran POP.TOP.ASSOMP.TAC 
ran POP.TOP.ASSOMP.TAC 
Tm RH3LAST.TAC 

ran REVRin.ASM 17 1 X IT • operand.ready (t'+l+l+l+l) X 
ran pop .as sum (\thi . 

STRIP.ASSOME.TAC thl) X get rid of Tt* X 
ran ASSOM.LIST (\ths. 

(TAC1 (el 1 ths))) 


X O) APO idles — induction. To get f.reg t , * ,, ' - f_reg(t •♦H-l+l-H) X 
Tin ASSOM.LXST (\ths. Xrevrite use ell other essunptionsX 

(REVRITE.OTHER.TAC 1«)) X 16- ,, stert(t , ei+lel*l) » start (t'+l+l+l) " X 
Tm Dg .RES.TAC seit.epu X resolve egsinst 'start t and 'start (tel+1) X 
Tin POP.TOP.ASSOMP.TAC 
ran PDP_TOP.ASSOMP.TAC 
THU POP.TOP_ASSOMP.TAC 
Tin POP.TOP.ASSOMP.TAC 
Tin POP.TOP_ASSOMP.TAC 
Tin POP.TOP_ASSOMP.TAC 
ran POP_TOP.ASSOMP.TAC 
Tin POP.TOP_ASSOMP.TAC 
Tin POP.TOP_ASSOMP.TAC 
Tin POP.TOP.ASSOMP.TAC 
Tin POP.TOP_ASSOMP.TAC 
ran POP.TOP_ASSOMP.TAC 
Tin RM2LAST.TAC 
Tin RM2LAST.TAC 

ran REWRITE.ASM_THM.TAC StableUntil2 1 
Tm RM2LAST.TAC 

ran pop.assoh <\thi. 

ASSOHE.TAC (SPEC "((((t* »» * *-t*)-l)-i)-l)-l" thl)) 

Tim IMP.RES.TAC nun_lenna3 

Xget (((CM>*1)+1)+1) ♦ (((((t"'"-t)-l)-l)-l)-l) - t”»”X 



THE! REVRITE.ASH1 12 X to rewrite uti the thtom X 
THEI RK3LAST.TAC 

THE! REVRXTE.1SK 11 1 X 11 - Stable(start,F,(t »4l4lfl41) # t 1 ” • ») X 


X To rewrite tho fool X 

THE! REVRITE.ASM1 27 f X to fot f.sc ■ vtofp rop (...) X 

THE! OICE.REVRITE.TACCFID] 

THEI OICE.REVRITB.TAC [LET.DEtf 

THEI BBTA.TAC 

THEI REVRXTE.TAC [FPCs tate] 

THE! KXISTS.TAC "t » » * * * :nua" 

THEI ASH.REVRITE.TACa 
/ • * 


close.theoryO ; ; 

«BitOss 


Filo: fstr.corroct .*1 
Author: Jing Pan 
Date: Fob. 1991 

Purpose: Verification of FPC top level against top level 

spec of the BIU, APU, and CPU.service, in the 
case of an FSTR instruction. 

Theories Osed: aux, biu.top, biu.leana, apu.top, apu.lena, 

cpu.seryice, service.leana, f pc. top, indue, a. 


1 


loadf • /csgr ad/pan j/holdir/init .il 1 ; ; 

loadf < ahstract.al f ;; 
loadf 'tactics .ml 1 ; ; 

sjstea * /bin/m -f fstr.corroct .th* ; ; 

aet.flaf ('sticky' , true);; 

new.theory 'fstr.coxrect'; ; 


loadf 'aux.defs.al' ; ; 

nap nev_parent ['aux*; # biu.top*; 'biu.lenna € ; 'apu.top'; 

'apu.leama'; 'cpu.service'; 'service.lesM* ; 
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‘fpc.top 4 ; 'indue 4 ; 'a'];; 


autoload.dofft.and.thaa 

autoload.defft.and.thaa 

•Qteload.dpfft.and.thu 

autoload_def».and_tha» 


*biu.top* ; ; 
*biu_lftaaa‘;; 
*apu_top';; 
# apu.la«na* ; ; 


autoload. defs.and.thas 
antoload.defs.and.thas 
•ntoload.dafft.and.thas 
antoload.dafft.and_thaft 
antoload.dofft.and_ than 
antoload.dofft.and.thaa 


'cpu.ftorrico c ; ; 
'aervieo. leans' 
'fpc.top';; 
'aux* ; ; 
'indue';; 


lot rop.tj ■ abatract.tjpo 'intorfaco* 'fotch';; 


new. theory, obligation* [ 

•*! (x:nua) (rop: *rop.ty) . ((vtonua rop (nuatov rop x)) ■ x) M ; 
■! (x:fp) (rep:*rep_ty). ((vtofp rop (fptov rop x)) ■ x) M ; 

Jm 


lot doublo.nua * prove.tha 
('double.nua' , 

•! (x:nua) (rep : “rep.ty ) . ((vtonua rop (nuatov rop x)) » x)" t 
REPEAT STRIP.TAC 
THEM ASM.REVRITE.TAC □);; 


lot doublo.fp - proTo.tha 
('doublo.fp' , 

*! (x:fp) (rep:*rep.ty) . ((vtofp rop (fptov rop x)) * x)'\ 
REPEAT STRIP.TAC 
THE1 ASM.REVRITE.TAC □ ) ; ; 

aap loadf ['digit*; 'dociaal'];; 


FSTR.Corroet 

Tp prove the corroctnoas of PSTORE, upon the interaction 
aaong the BIU # APU and CPU. 


lot PSTR.Corroct » prove. t ha 
('FSTR.Corroet* $ 

"f (rop : “rep.ty) (response : nun- >nua) ( operand. out :xma->fp) 

(decode .reg :nua->nua) (biu.at ate :nua->nua) 

(start : nua->bool) (eoaaand : num->nua) (condition :nua->ana) 

(control :mia->nua) (operand. in : nua->fp) (done : nun- >bool) 

(nov.inatr : nua-> bool) (oporandjroady :nua->bool) (resp.ready :nua->bool) 
(f.ac : nua->fp) (f.rog : nua- >nua->f p) 

(cv av : nua->boolfbooltboolfbool) 

(c.ac :nua->nua) (c.reg : nua->nua->nua) (aoa:nua->eaoaory ) 
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(ir:nu»->nua) (cpu.etete:nua->nua) (address :nua->nuu) 

(r#%d writ* : nun -> bool) (detain dataout :nu»->*»ordn) (n:nua). 


(biu_top_cpu n rap (response, operand. out , decode _reg, rttp.rttdy, 
f.ie» bluest at a, start) 

(couand, condition, control, operand. in, dona, new.instr, 
operand.ready) /\ 

apu.top.cpu n rap (f.ac, f.reg , cw, sw, dona) 

(start, decode.reg) /\ 

cpn^MTwic* n rap (c.ae, c.rag, nan, ir , dataout, address, read, write, 
cpu. state) (raap.ra ady, detain) A 

(cir .reed. write rap address read write detain dataout 

couand response operand. in operand. out condition 
control new.instr operand.ready)) 

(ft. ((Opc ft (ir t) • 1) A X FSTR X 
(•(start t)) A 
(•(new.instr t)) A 
C(resp_ready t)) A 
(•(read t)) A 
(biu.state t » 0) A 
(cpu.state t * 0)) ■«> 

(T (t':nun). 

( (f.ac t 9 , f.reg t 1 ) ■ 

FPCstate (FSTR n rep (f.ac t, f.reg t, c.ac t, 
c.rag t, nan t, ir t))))) M , 

Xt->t+lX 

e (REPEAT STRIP. T AC 
X(l) APU: idle X 
THE! ZKP.RES.TAC apu.idle.leua 
THE! RM2LAST.TAC 

THEM REVRITE_ASM.THM.TAC apu.idle 1 
THE! RH2LAST.TAC 
THEM ASSUM.LIST (\ths. 

(TAC1 (el 1 tbs))) 

X (2) IIU — idle, waiting for the new.instr signalX 
THEI MP.RES.TAC biu.idle.leua 
THE! RM2LAST.TAC 

THEI REWRITE. ASM.THM.TAC biu.idle 1 
THEI RM2LAST.TAC 

THEI REVRITE.ASH 11 1 X 11- —new.instr t M X 
THEI ASSUM.LIST (\ths. 

(TAC1 (el 1 tbs))) 

X(3) CFO — start up tbe couunication by sending tbe instrX 
THEI DIP.RES.TAC cpu.begin.lenu 
THEI RM2LAST.TAC 

THEI REVRITE. ASM.THM.TAC cpu.begin 1 
THEI RM2LAST.TAC 
THEI ASSUM.LIST (\tbs. 

(TAC1 (el 1 tbs))) 

Xt+1 — > t+l+lX 

X(l) correctness of tbe 4-phase handshaking, , "write": cir.read.write — 
get "couand (t+i+1) - ir t" X 

THEI REVRITE_ASM.THM.TAC cir.read.write 29 X 29 - cir.read.writeX 
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THEI ASSUH.LIST (\t ha. 

(ASSUHE.TAC (SPEC "t+l" (#1 1 tha)))) 

THEI RH2LAST.TAC 

THEI REVRITE.ASH1 26 4 X26«'r#ad t # 4-”r#ad(t+l)-r#ad t"X 
THEI REVRITE.ASH1 1 2 
THEI RH3LAST.TAC 

THEI REVRITE.ASH 4 1 X 4-writ# (t+l) X 
THEI REVRITE.ASH 6 1 X 6-*addr#aa(t+l)«0"X 
THEI ASSUHJJST (\tha. 

(TAC1 (#1 1 tha))) 

THEI RM3LAST.TAC 

THEI REVRITE.ASH 1 7 2 X?» H dataout-. and 2-”coaaand-dataout. . »"X 
THEI REVRITE.ASH_THH.TAC deubl#.nu» 1 
THEI RH2LAST.TAC 

X (2) bin idl#a until n#v_inatr ia high X 
THEI IHP.RES.TAC bin_idl#_l#aaa 
THEI POP.TOP.ASSUHP.TAC 
THEI RH2LAST.TAC 

THEI REVRITE.ASH.THH.TAC biu.idl# 1 
THEI RH2LAST.TAC 

THEI REVRITE.ASH 3 1 X2 - n#w_inatr(t+l)X 
THEI ASSUH.LIST (\ths. 

(TAC1 (#1 1 tha))) 

X (3) CPU waita until th# r#apona# con# X 
THEI IHP.RES.TAC cpu. wait _f or _r#apona •_!«■*# 

THEI RH2LAST.TAC 

THEI REVRITE.ASH 1 36 24 X 36 - ~r#ap.r#ady t # 

24 - r#ap.r#ady(t+l) - r#ap_r#ady t X 

THEI REVRITE.ASH 1 2 
THEI RH2LAST.TAC 
THEI ASSUH.LIST (\tha. 

(TAC1 (#1 1 tha))) 

X (4) APU at ill idl#a X 
THEI ASSUH.LIST (\tha. ASSUHE.TAC 

(REVRITE.RULE [STH.RULE (#1 29 tha)] (#1 46 tha))) 

X to g#t -'atari (t+l) M firat. 

46 - —atart t", 2S-"atart(t+l) - atart t" X 
THEI IHP.RES.TAC apu_idl#_l#a»a 
THE! POP.TOP.ASSUHP.TAC 
THEI RH2LAST.TAC 
THEI RH2LAST.TAC 

THEI REVRITE.ASH_THH.TAC apu.idl# 1 
THEI RH2LAST.TAC 
THEI ASSUH.LIST (\tha. 

(TAC1 (#1 1 tha))) 

Xt+1+1 -> t # X 

X (1) IIU d#cod#a ( a#nda back r#apona«, and atarta up th# apa. 

firat tin# nond#t#rainiatic ?t*X 

THEI IHP.RES.TAC biu_d#cod#.l#au 
THEI RH2LAST.TAC 

THEI REVRITE.ASH.THH.TAC biu.d#eod# 1 
THEI RK2LAST.TAC 

THU ASSUH.LIST (\tha. ASSUHE.TAC 

(REVRITE.RULE [n##d.r#ad; n##d.writ#] (#1 l tha))) 

THU RH2LAST.TAC 

THU ASSUH.LIST (\tha. Xr#writ# na# all oth#r aaauaptionaX 
(REVRITE.OTHER.TAC 1)) 



THE! RH2LAST.TAC 

THEM POP.ASSUK (\thl. ASSUHE.TAC 

((COIV.RULE DIC.IQ.COIV) tbl)) 

THE! POP.ASSUK (\thl. ASSUNE.TAC 

(COIV.RUU (OICE.DEPTH.COIV 
IlV.dec.COIV) tbl)) 
no POP.ASSUK (\tbl . ASSUHE.TAC 
(REVRITE.RUU [First] tbl)) 

THU POP.ASSUK (Uhl . 

STRIP.ASSUKE.TAC tbl) X get rid of Tt» and Mko (A/\B) two 

separate aaauwptions A, I X 

ID ASSUK.LXST (\tbs. 

(TAC1 (ol 1 tbs))) 

X (2) CPU — waiting for tbo rosponso frow MU, induction thereon 
wait.cpu is usod boro. 

At tbo and wo got cpu_stato t* • 1, non t* ■ non (t+1+1) 
and ir t* • ir (t+1+1) X 

ID IKP.RES.TAC wait.cpu XtosoIto against (cpu.stato t+1 ■ 1) and 

(cpu.stato t+1+1 ■ 1)X 

THEI RK3LAST.TAC 
THEI P0P_T0P.ASSUKP.TAC 
THEI REVRITE.ASH_THH.TAC StabloUntil 1 
X specialize nX 
THEI POP.ASSUK (\tbl . 

ASSUHE.TAC (SPEC «((t'-t)-l)-l" tbl)) 

THEI IKP.RES.TAC nun_lowna2 Xa numerical lenma X 
THEI REHRITE.ASH 1 2 X to rewrite use tbe tbeoren X 
THEI REVRITE.ASH IS 1 X 13 - Stable (reep.readjr.F, (t ♦ 1) ♦ l.t>) X 
X to got non and ir right X 
THEI RKSLAST.TAC 
TID IH2LAST.TAC 

THU IKP.RES.TAC wait_cpu2 XtosoIto against (cpu.stato t+1 ■ 1) and 

(cpu.stato t+1+1 ■ 1)X 

TID POP.TOP_ASSUKP.TAC 
THU POP_TOP.ASSUHP.TAC 
THU RK3LAST.TAC 
THU RK3LAST.TAC 
THU RKSLAST.TAC 

THU REVRITE.ASK_THH.TAC StableUntil2 1 
THU REVRITE.ASH_THK.TAC StableUntil2 3 
THU RH3LAST.TAC 
THU RKSLAST.TAC 
X specialise nX 
THU POP.ASSUK (Uhl. 

ASSUHE.TAC (SPEC "((t*-t)-l)-l“ tbl)) 

THU POP.ASSUK (Uhl. POP.ASSUK (\th2. 

ASSUHE.TAC tbl 

THU ASSUHE.TAC (SPEC "((t'-tM)-l" th2))) 

THU IKP.RES.TAC nun_lenna2 Xa numerical lenma X 

THU REVRITE.ASHI 1 2 X to rewrite use tbe tbeoren X 

THU REVRITE.ASHI 2 4 

THU RKSLAST.TAC 

THU RKSLAST.TAC 

THU RKSLAST.TAC 

THU REHRITE.ASH IS 1 X IS » Stable(resp_readj,P, (t ♦ 1) ♦ l,t*> X 
THU REVRITE.ASHI IS 2 
THU RKSLAST.TAC 
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X (3) A PU — waiting to bo startod, induction thoroonn 
wait.apu usod horo to got f .ac t 9 * f.ac t+1+1 , 
and f.rog t' ■ f.rog t*l+l X 
X to got 'start (t+1+1) first v 29 * start t+1+1 X 
THEM ASSUH.LIST (Uhs. Xrowrito uso all othor assunptionsX 
(REWRITE. OTHER. TAC 29)) 

THEI IHP.RES.TAC wait.apu X rosolro against 'start t and "start (t*l+l) X 

THEM PDP.TQP.ASSUKP.TAC 

THEI POP.TOP.ASSUHP.TAC 

THEI POP.TOP.ASSUHP.TAC 

THEI POP.TOP.ASSUHP.TAC 

THEI RH3LAST.TAC 

THEI REWRITE.ASH_THH.TAC StabloUntil2 1 
THEI RH2LAST.TAC 

THEI REWRITE.ASH.THH.TAC 8tabloUntil2 2 
THEI RH3LAST.TAC 
THEI POP.ASSUH (Uhl. 

ASSUKE.TAC (SPEC "((t »-t)-l)-l" thl)) 

THEI POP. AS SUM (\thl . POP.ASSUH (\th2. 

ASSUKE.TAC (SPEC "((t'-t)-lM" th2) 

THEI ASSUKE.TAC thl)) 

THEI IHP.RES.TAC nu».lonna2 Xgot ( (t ♦ 1) ♦ 1) ♦ (((t* - t) - 1) - 1) - t’X 

THEI REWRITE. ASM 1 1 2 X to rowrito uso tho thoorom X 

THEI RK3LAST.TAC 

THEI RE WRITE. ASH 1 2 3 

THEI RIO LAST. T AC 

THEI RH3LAST.TAC 

THEI REWRITE.ASH 14 1 X 14 « Stablo(start t F, (t + 1) ♦ l.tO X 
THEI REWRITE.ASH 1 14 2 
THEI RM3LAST.TAC 

X(4) CPU induction — to got 'road t 9 and 'writo t *X 

THEI IHP.RES.TAC wait.cpu3 Xrosolro against (cpu.stato t+1 ■ 1) and 

(cpu.stato t+1+1 ■ 1)X 

THEI POP.TOP.ASSUHP.TAC 
THEI POP.TOP.ASSUHP.TAC 
THEI RH3UST.TAC 
THEI RH3LAST.TAC 
THEI RH3LAST.TAC 

THEI REWRITE. ASH.THH.TAC StabloUntilS 1 
THEI REWRITE. ASH.THH.TAC StabloUntilS 3 
THEI RH3LAST.TAC 
THEI RH3LAST.TAC 
X spocialiso nX 
THEI POP.ASSUH (Uhl. 

ASSUKE.TAC (SPEC "(((t »-t)-l)-l)-l" thl)) 

THEI POP.ASSUH (Uhl. POP.ASSUH (\th2. 

ASSUKE.TAC thl 

THEI ASSUKE.TAC (SPEC -<((t *-t)-l)-l)-l" th2))) 

THEI IHP.RES.TAC nua.loaaa4 Xa nunor i cal lonna X 

THEI REWRITE.ASH1 1 2 X to rowrito uso tho thooron X 

THEI REWRITI.ASH1 2 4 

THEI RH3LAST.TAC 

THEI RH3LAST.TAC 

THEI RH3LAST.TAC 

THEI REWRITE.ASH 18 1 X 18 - Stablo(rosp.roady,F, (t ♦ 1) ♦ l.t’) X 
THEI REWRITE. ASH 1 18 2 
THEI RH3LAST.TAC 



Xt >t’*lx 

X (1) 4-pku* idles X 

THE! EEreiTE.ASH.THH.TAC oir.raad.writ* 72 X 72 - cir.r*ad_writ*X 
THEI AS5UH.LIST (Nth*. 

(ASSUME.TAC (SPEC w t’:num" (*1 1 ths)))) 

THE! EH2LAST.TAC 

THEI EEVEITE.ASH 2 1 X 2 -"'r**d f"X 

THEI UVEITE.ASX 3 1 X 3 - 'writ* t» X 

THEI PQP_ASSUH (\thl. 

STEXP.ASSUHE.TAC thl) X nak* (A/\B) 2 assumption* X 

X (2) CTO go** to *t*t* 2 to analys* ths rosult X 
THEI IMP.HES.TAC cpu_vait.for.r*spons*_l«ana 
THEI IM2LAST.TAC 
THE! P0P.T0P_AS3UHP.TAC 
THEI EH2LAST.TAC 

THEI EEHEITE.ASK IS 1 X IS - r*sp.r*ady t* X 
THEI ASSUH.L1ST (Nth*. 

(TAC1 (*1 1 th*))> 


X (3) IXU wait in *tat* 0 — 1st tin* X 
THEI IHPJtES.TAC biu.idl*.lamma 
THEI KH2LAST.TAC 
THEI POP.TOP.ASSUMP.TAC 
THEI EH2UST.TAC 

THEI HEreiTE_ASH.THH.TAC biu.idl* 1 
THEI HH2LAST.TAC 

THEI HEV&ITE.ASM 12 1 Xl2-'n*v.instr t*X 
THEI ASSUH.LIST (Nth*. 

(TAC1 (si 1 ths))) 

X (4) ATO idlss X 
THEI IMP.HES.TAC apu_idl*_l*maa 
THE! POP.TOP.ASSUHP.TAC 
THEI EH2LA5T.TAC 
THEI RK2LAST.TAC 

THEI UreiTE.ASH_THM.TAC apu.idl* 1 
THEI HH2LAST.TAC 
THEI ASSUK.LIST (Nth*. 

(TAC1 (*1 1 ths))) 


X t»*i — > t»*m x 

X (1) **r*ad” — corrsctnsss of th* -phas* insur** that th* r**pons* 
is pot into th* datain bus so that th* CPU can r*ad it X 
THEI EEreiTE.ASM.THM.TAC cir.rssd. writs IS X 96 - eir.r*ad.writ*X 
THEI ASSW.LI3T (Nth*. 

(ASSUME.TAC (SPEC "t'+l:nun M (*1 1 ths)))) 

THEI BM2LAST.TAC 

THEI EEVEITE.ASM 16 1 X 16 - rsad(t*+l) X 
THEI EEVEITE.ASM 17 1 X 17 -"addr***(t'*l)-l"X 
THEI AS5UN.LXST (Nth*. 

(TAC1 (ol 1 ths))) 

X now w* g*t M datain((t’ ♦!)♦!)» numtow rsp(rssponss(t 9 ♦ I))" X 
X (2) CPU wait* for on* cycls for th* 4phas* X 
THEI 1MP.EES.TAC cpu.vait.4ph a* *.l*ama 
THEI EM2LAST.TAC 
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THE* AS SUM. LI ST (\ths. 

(TAC1 (el 1 ths))) 

X (3) BIU idles is stats 0 — 2nd time X 
THE* IHP.RES.TAC biu.idle.lenne 
THE* RH2LAST.TAC 
TREE POP.TOP.ASSUKP.TAC 
THE! POP_TOP.ASSUHP.TAC 
THE! RH2LAST.TAC 

THE* HEVHITE.ASH_THH.TAC biu.idle 1 
THE* RH2LAST.TAC 

THE* REWRITE. ASH 12 1 Xl2-*nev_instr(t’+l)X 
THE* ASSUH.LIST (\ths. 

(TAC1 (si 1 tbs))) 


X (♦> APU idles X 

THE* ASSUH.LIST (\ths. Xresrite ass all ether assusiptieasX 

(REWRITE. OTHER. TAC 26)) X 2S-"start (t ' ♦ 1) » start t* * X 
THE* IHP.RES.TAC apu.idle.lenna 
THE* POP_TOP.ASSUHP.TAC 
THE* POP.TOP.ASSUKP.TAC 
THE* POP.TOP.ASSUKP.TAC 
THE1 RH2LAST.TAC 

THE* REVRITE_ASH.THH.TAC apu.idle 1 
THE* RH2LAST.TAC 
THE* ASSUH.LIST (\ths. 

(TAC1 (el 1 tbs))) 


X t’+l+l — > t ’*1+1+1 X 
X (1) 4-phase "idle" X 

THE* REVRITE.ASH_THH.TAC cir_read_vrite 120 X 120 - cir.rsad.writsX 
THE* ASSUH.LIST (\ths. 

(ASSUHE.TAC (SPEC "(t*+l)+l:nun" (el 1 ths)))) 

THE* RH2LAST.TAC 

THE* REWRITE. ASH 17 1 X 17 -"'read(t»+l+l)"X 

THE* REVRITE.ASH 16 1 X 16 ■ 'writs (t ’+1+1) X 

THE* POP.ASSUH (Uhl. 

STRIP. ASSUHE.TAC thl) X make (A/\B) 2 assumptions X 


X (2) CPU reads ths response and raise the read line to read the 
operand no* is on the detain bus X 
THE* IHP.RES.TAC cpu.read.r espouse .leans 
THE* RH2LAST.TAC 

THE* ASSUH.LIST (\ths. ASSUHE.TAC 

(REWRITE.RULE [LET.DEP] (el 1 ths))) 

THE* RH2LAST.TAC 

THE* ASSUH.LIST (\ths. ASSUHE.TAC 
(IETA.RULE (el 1 ths))) 

THE* RH2LAST.TAC 

THE* ASSUH.LIST (\ths. (ASSUHE.TAC 

(REVR1TE.RULE [el 26 ths; donble.nun] (el 1 ths)))) 

THE* RH2LAST.TAC X 26 - datain(t’+l+l)>. .. X 

THE* REVRITE.ASH1 66 40 X 40 » response (t’+l)*response t ’ , 

66 » response t' ■ write.p X 

THE* REVRITE.ASH 1 1 2 
THE* RK3LAST.TAC 

THE* ASSUH.LIST (\ths. (ASSUHE.TAC 

(REWRITE.RULE [resd_p; write.p] (el 1 ths)))) 



THE! POP.ASStW (Uhl. ASSUME.TAC 

((COIV.RULE DBC.IQ.COIV) til)) 

THE! POP.ASSUM (Uhl. ASSUME.TAC 

(COIV.RULE (OICE.DEPTI.COIV 
IIV.dac.CDIV) thl)) 

THEX RM2LAST.TAC 
THE! ASSUM.LIST (Uhs. 

(TAC1 (si 1 ths))) 

X (3) IIU ititi is ittti 0 — 3rd tins X 
THEI HIP.RES.TAC biu.idls.lsana 
THEI POP.TOP.ASStWP.TAC 
THEE POP_TOP.ASSOMP.TAC 
THEI POP.TOP_ASSaiP.TAC 
THEI POP.TOP.ASSUMP.TAC 
THEI RN2LAST.TAC 

THEI REHR1TE_ASN.THH.TAC biu.idls 1 X ths Sth on* X 
THE! RM2LAST.TAC 

THEI REVRITE.ASH 13 1 XlS-'nss.instr (t ’+1*1)X 
THEI ASSUM.LIST (Uh». 

(TAC1 (si 1 ths))) 

X (4) APU idlss X 

THEI ASSUM.LIST (Uhs. Xrsvrits us# all othar asauaptioaaX 

(REHRITB.OTHER.TAC 24)) X 26-"start(t'-H+l) - atart(t'-H)" X 
THEI IMP.RES.TAC apu.idls.lssna 
THEI POP.TOP.ASSUMP.TAC 
THEI PW_TOP_ASSWO>.TAC 
THEI POP.TOP.ASSUMP.TAC 
THEI POP.TOP.ASSUMP.TAC 
THEI RM2LAST.TAC 

THEI REHRITE.ASM_THM.TAC apu.idla 1 
THEI RM2LAST.TAC 
THEI ASSUM.LIST (\ths. 

(TAM (al 1 ths))) 

X t’+l+l+l — > t'+l+l+l+l X 

X (1) “road" — ths eorrsctnsss property of ths 4-phass protocol 
i&surss that ths data in opsrand.in cir is put on datain busX 
THEI REHRITE_ASM.THM.TAC cir_rsad_writs 14S X14S - cir.rsad.writsX 
THEI ASSUM.LIST (\ths. 

(ASSUME.TAC (SPEC "((f+D+D+l" (ol 1 ths)))) 

THEI RM2LAST.TAC 

THEI IEHRXTE.ASM 17 1 X 17 - "rsad(t»*l*l+l)"X 

THEI IKHRXTE.ASM 14 1 X 14 - *writs(t ’+1M+1) X 

THEI REHRITE.ASM IS 1 X 14-"addrsss(t’+m*l)-2 (opsrand.in) “X 
THEI POP.ASStW (\thl . ASSUME.TAC 

((COIV.RUU DEC.EQ.CmV) thl)) 

THE! PQP.ASSUM (\thl. ASSUME.TAC 

(COIY.RULE (OICE.DEPTH.COIV 
UV.dsc.COIV) thl)) 

THEI ASSUN.LXST (\ths. 

(TAC1 (si 1 ths))) 


X (2) CPU sait ons cyclsX 
THEI IMP.RES.TAC cpu_wait_rsad_lsaaa 
THEI RM2LAST.TAC 

THEI REHRITE_ASN.1HM.TAC cpu.sait.rsad 1 
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THEI RK2LAST.TAC 
THU ASSUH.LIST (\ths. 

(TAC1 (si 1 ths))) 


X (3) BIU waits in ststs 0 — 4th tins X 
THU XHP.ftES.TAC biu.idXs.Xsna 
THU PDP.TQF.ASSUMP.TAC 
THU POP.TOP.ASSUHP.TAC 
THU POP.TOP.ASSUHP.TAC 
THU PQP.TQP.ASSUHP.TAC 
THU POP.TOP.ASSUKP.TAC 
THU RH2LAST.TAC 

THU ftEVEITl.ASH.THH.TAC biu.idXs 1 X ths 6th ons X 
THU RH2UST.TAC 

THU s (REWRITE .ASH 12 1 Xl2--nsw.instr(t'*l+l+l)X 
THU ASSUH.LXST (\ths. 

(TAC1 (sX 1 ths))) 

X (3) APU idXss X 

THU AS SUM. LI ST (\ths. Xrsvrits uss aXX othsr assumptions! 

(ftEVRITE.OTHER.TAC 26)) X26-"start(t ’+1+1+1) - start(t *+l+l)"X 
THU XHP.ftES.TAC apu.idXs.Xsna 
THU POP.TOP.ASSUHP.TAC 
THU POP.TOP.ASSUHP.TAC 
THU POP.TOP.ASSUHP.TAC 
THU POP.TOP.ASSUHP.TAC 
THU POP.TOP.ASSUHP.TAC 
THU RM2LAST.TAC 

THU REVRXTE.ASH.THH.TAC apu.idXs 1 
THU RH2LAST.TAC 
THU ASSUK.LXST (\ths. 

(TAC1 (sX 1 ths))) 


X vsism+i — > t»iw+i+i+ix 

X (1) CPU storss ths waXus on data bus to ths asaorj X 
THU XHP.RES.TAC cpu.put.data.Xsna 
THU RH2LAST.TAC 

THU REVRXTE.ASH.THH.TAC cpu.put.data 1 
THU RH2LAST.TAC 

THU A5SUH.LXST (\ths. ASSUKE.TAC 

(REVRITE.RULE [LET.DEF] (sX 1 ths))) 

THU RH2LAST.TAC 

THU ASSUH.LXST (\ths. ASSUKE.TAC 
(BET A. RULE (sX 1 ths))) 

THU RH2LAST.TAC 
THU ASSUH.LXST (\ths. 

(TAC1 (sX 1 ths))) 

X (2) ft XU idXss in stats 0 X 
X (3) APU idXss X 

THU ASSUH.LXST (\ths. Xrsvrits uss aXX othsr assuaptionsX 

(ftEVRITE.OTHEft.TAC 16)) Xl6-"start(t »+l+l+l+l) - start (t ’♦l+l+t)"X 
THU IHP.ftES.TAC apu.idXs.Xsan 
THU POP.TOP.ASSUHP.TAC 
THU POP.TOP.ASSUHP.TAC 
THU POP.TOP.ASSUHP.TAC 
THU POP.TOP.ASSUHP.TAC 
THU POP.TOP.ASSUHP.TAC 



X 


THE! POP.TOP.ASSaHP.TAC 
THE* RH2LAST.TAC 

THE* IEHRITE.ASH_THH.TAC ftjm.idl* 1 
THE* RH2LAST.TAC 
THE* ASSUH.LIST (\th». 

(TAC1 («1 1 tho))) 

X To ronrito tho goal X 

THE* REVRITE.ASH1 27 « X to got l.oc «"•" - rtofp rop (...) X 
THE* OICE.REHRITE.TACCFSTR] 

THE* OICE.REVRin.TAC [LET.OEF] 

THE* BETA.TAC 

THE* REHRin.TAC [PPCototo] 

THE* EZISTS.TAC ■((((t'*l)+l)+l)+l)+l:ra" 

THE* ASH.REVRin.TACa 
/>! 


close.theoryO ; ; 

qaitOil 


fpc.correct.nl 
Jing Pan 
lUrch. 1091 

Verification of FPC top level against top level 
spec of tho BIU, APU, and CPU.service. 

Theories Used: auz, fpc.top, f .arith. correct .ml fld.corroct.nl 

fstr.corroct.nl 


Pile: 

Author: 

Date: 

Purpose: 


1 


loadf */csgr ad/pan j/holdix/init .nl * ; ; 

loadf * abstract. nl';; 
loadf 4 tactics.nl* ; ; 

ays ten * /bin/m -f fpc.correct.th' ; ; 

sot .flag ( f sticky*» true);; 

now. theory ‘f pc. correct * j ; 

loadf *auz.dofs.nl* ; ; 

nap new.parent [*aux' f * *time.abs<; f fpc.top*; ‘f.arith.corroct * ; 
*f ld.corroct * ; *f str. correct *] ; ; 
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antoload.dafs.and^thas 'fpc.top 4 ;; 
AQtoloid.d«fi.and.thu , «a l ; ; 
nut oload.daf s_and_thas 1 f.arith.corract * ; ; 
antoload.dafs.and.thns 4 fld.corxact 4 ; ; 
autoload.dafs.and.thas 4 f str.corract 4 ; ; 
antoload.dafs.and.thas 4 tiaa.abs 4 ; ; 


1st rap.ty * abstract.typa 'intarfaca 4 4 l#tch 4 ;; 
nss.thsory.obligations [ 

•! (x:nua) (rap: “rap.ty) . ((rtonua rap (nuatos rap x)) ■ x) H ; 
•! (sc: ip) (rap: “rap.ty). ((rtofp rap (fptow rap x)) ■ x)"; 

Jn 


aap loadi ['digit 4 ; 4 dscinal 4 ];; 


X 


Xnitial.Stats 

Spacify tba initial atataa of tha CPU* BIU, JLPU and 
tha correctness of tha 4 phase protocol. 


•X 


lat Initial .State * new.def inition 
('Xnitial.Stats' , 

* ! (start nev.instr rasp. ready read:nua->bool) 

(biu.state cpu.state:nua->nua) t. 

Xnitial.Stats (start, new.instr, resp.ready, raad, biu.stata, 
cpu.state, t) - 
((•(start t)) /\ 

(•(new.instr t)) /\ 

C (resp_ready t)) /\ 

(•(raad t)) /\ 

(biu.stata t ■ 0) /\ 

(cpu.state t » 0)) M 


V 


ValidOpcoda 

Spacify tha walid opcodas 


lat ValidOpcoda ■ new.def init ion 
('ValidOpcoda* , 

*! (rep: “rap.ty) n ir . ValidOpcoda n rap ir 
((Opc n ir » 0) \/ 

(Opc n ir ■ 2) \/ 

(Opc n ir • 3) \J 
(Opc n ir ■ 4) \/ 

(Opc n ir - 6))** 


X 


X* 
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PPC.VextState. Correct 


To prove the correctness of lertState.fpc, upon 
interaction anong tho CTO, BXU and iPU. 

lot lextState.Correct * prove.thn 
(‘lextState.Correct * , 

*! (rop : *rep.ty) (response:nun->nun) (operand.out :nun->fp) 

(dec ode. r eg :naa->naa) (biu.state:nun->num) 

(start : nun->bool) (connand : cui‘>nui) (condition: min'- >nun) 

(control: mm- >mm) (operand. in : nua->f p) (done: nun- >bool) 

(new.instr : nxm-> bool) (operand.ready:min->bool) (resp.ready:nun->bool) 
: nun->fp) (f.reg : nun->nun->fp) 

(cv sw : nun->booltboolfbool#bool) 

(c.ac : nun->mm) (cjreg:nun->num~>nun) (nea:nnn->*aaaory) 

(ir : nun->nun) (cpu.atato:nun->nun) (address :nun->nun) 

(road write :nun->bool) (detain dataout :nun->owordn) (n:nun). 

(biu.top.cpu n rep (response, operand.out, decode .reg, resp.ready, 
f.ac, biu.state, start) 

(connand, condition, control, operand. in, done, new.instr, 
operand. ready) /\ 

apn.top.cpu n rep (f.ac, f.reg, cw, sw, done) 

(start , decode.reg) /\ 

cpu.service n rep (c.ac, c.reg, non, ir, dataout, address, read, write, 
cpu.state) (resp.ready, detain) /\ 

(cir.read.write rep address read write detain dataout 

connand response operand. in operand.out condition 
control new.instr operand.ready)) 

(!t* (Initial.State (start, new.instr, resp.ready, read, biu.state, 
cpu.state, t) A 
ValidOpcode n rep (ir t)) «> 

(? (t 9 :nun) . 

((f.ac t 9 , f.reg t 9 ) ■ 

FPCstate (lextState.fpc n rep (ir t) (f.ac t, f.reg t, c.ac t, 
c.reg t, non t, ir t))))) M , 

OICE.REVRXTE.TAC [Initial.State] 

THE! REPEAT STRIP.TAC 

THE! OICE.REVRITE.TAC [lertState.fpc] 

THEE POP .AS SUM (\thl . DIS J.CASES.THE1 STRIP.ASSUMB.TAC 

(REWRITE. RULE [ValidOpcode] thl)) 

THEE OICE.ASH.REVRITE.TACa 
THE! DEC.EQ.TAC 

THE* COW.TAC (OICE.DEPTH.COIV IIV.de c.CCWY) 

THEVL [ XOX 

1HP.RES.TAC FLD.Correct 

; X2X 

IHP.RES.TAC PAW). Correct 

; X3X 

IHP.RES.TAC PSUB.Correct 

; X4X 

IHP.RES.TAC PWL. Correct 

; XSX 

MP.RES.TAC PDXV.Correct 

] 
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THE! RES.TAC 

THE* ASK.REVRITE.TACD 

);; 


1st fpc.topS * nsv.dsf inition 
(*fpc.top3* , 

•! (rsp : ‘rsp.ty) (f.ac :nun->fp) (f.rsg :nun->nun->fp) (c.ac :nun->nun) 
(c.r«g :nun->nun->nua) (nsn:nun->*nanory) (ir :nun->nuA) 

(n:nun) (start nsv.instr rssp.rsady rsad: nun- >bool) 

(bluest at* cpu.stats :nun->nun) . 
fpc.topS a rap (f.ac, f.rsg, c.ac, c.rsg, mb, ir) 

(start * nsv.instr , rssp.rsady, rsad, biu.stats, cpu.stats) » 
f t. (Initial.Stats (start, nsv.instr. rssp.rsady, rsad. biu.stats, 
cpu.stats, t) A 
ValidOpcods n rsp (ir t)) ■*■> 

T t'. (f.ac t’, f.rsg t’> * 

(PPCstats (VsxtStats.fpc n rsp (ir t) 

(f.ac t, f.rsg t. c.ac t, c.rsg t. asb t, ir t))) M 

/ • » 


FPC.Corrsct 

To provs tbs corrsctnsss of fpc.top* upon 
intsraction anong tbs CPU. BIU and APU. 


X 


1st FPC.Corrsct • provs.tbn 
(‘FPC.Corrsct* , 

"! (rsp : ~rap.ty) (rssponss : nun- > nun) (opsrand.out :nun->fp) 

(dscods.rsg :nun~>nun) (biu.stats :nun->nuB) 

(start : nun->bool) (conn and : nun -> nun) (condition: bub- >aua) 

(control: nun- >nun) (opsrand.in :nun->fp) (dons : nun- >bool) 

(nsv.instr : nua-> bool) (opsrand.rsady :mm->bool) (rssp.rsady :nun->bool) 
(f.ac : nun->fp) (f.rsg : nun->nun->fp) 

(cv sv : nua->boolfbool#boolibool) 

(c.ac : nun->nun) (c.rsg : nun->nun->nun) (nsa :nun->»n— ory ) 

( ir : nun->nun) (cpu.stats: nun- >nun) (addrsss : nun->nun) 

(rsad vr its :nun->bool) (data in dataout :nun->*vordn) (n:nua). 


(biu.top.cpun rsp (rssponss, opsrand.out. dscods.rsg, rssp.rsady, 
f.ac. biu.stats, start) 

(conn and, condition, control, opsrand.in, dons, nsv.instr, 
opsrand.rsady) A 

apu.top.cpu n rsp (f.ac, f.rsg, cv, sv, dons) 

(start . dscods.rsg) A 

cpu.ssrrica n rsp (c.ac. c.rsg, bsb, ir. dataout, addrsss, rsad, writs, 
cpu.stats) (rssp.rsady, datain) /\ 

(cir .rsad. writs rsp addrsss rsad writs datain dataout 

connand rssponss opsrand.in opsrand.out condition 
control nsv.instr opsrand.raady)) 

(fpc.topS n rsp (f.ac, f.rsg, c.ac, c.rsg, bsb, ir) 

(start, nsv.instr, rssp.rsady, rsad, biu.stats, 

OICE.REVRITE.TAC [fpc.top3] 


cpu.stats)) 



ill R Igggg 


REPEAT STRIP _TAC 
IKP.RES.TAC ■•xtSt»t*_Corr*ct 
POP.ASSUN (\thl . ASSUNE.TAC 
(SPEC "tswa" thl)) 

ASSUK.LIST (Yths. ASSUNE.TAC 
(REVRITE.RULE C(#l 5 the); («1 6 th»)3 («1 1 tbs))) 
RN2LAST.TAC 
RN2LAST.TAC 
RN2LAST.TAC 
RM2LAST.TAC 
ASH.REWRXTB.TAC □ 


clo»«_th«ory() ; ; 
qaitO;; 
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